You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It is possible to allow a previously disallowed item when done in a class with specified attributes.
4
+
You can use the `allowInClassWithAttributes` configuration option.
5
+
6
+
This is supported for the following items:
7
+
- function calls
8
+
- method calls
9
+
- attribute usages
10
+
- namespace usages
11
+
- classname usages
12
+
13
+
For example, if you'd have a configuration like this:
14
+
15
+
```neon
16
+
parameters:
17
+
disallowedMethodCalls:
18
+
-
19
+
method: 'PotentiallyDangerous\Logger::log()'
20
+
allowInClassWithAttributes:
21
+
- MyAttribute
22
+
```
23
+
24
+
Then the `log()` call would be allowed in a class that would look like this, note the attribute added on the class:
25
+
26
+
```php
27
+
#[MyAttribute]
28
+
class Foo
29
+
{
30
+
public function bar(): void
31
+
{
32
+
$this->dangerousLogger->log('something');
33
+
}
34
+
}
35
+
```
36
+
37
+
On the other hand, if you need to disallow an item only when present in a method from a class with a given attribute,
38
+
use `allowExceptInClassWithAttributes` (or the `disallowInClassWithAttributes` alias):
39
+
40
+
```neon
41
+
parameters:
42
+
disallowedMethodCalls:
43
+
-
44
+
method: 'PotentiallyDangerous\Logger::log()'
45
+
allowExceptInClassWithAttributes:
46
+
- SomeAttribute
47
+
```
48
+
49
+
The `log()` method call would be allowed in the following class:
50
+
51
+
```php
52
+
class Foo
53
+
{
54
+
public function bar(): void
55
+
{
56
+
$this->dangerousLogger->log('something');
57
+
}
58
+
}
59
+
```
60
+
61
+
It would be disallowed in this class and in this class only because it has the `SomeAttribute` attribute:
62
+
63
+
```php
64
+
#[SomeAttribute]
65
+
class Foo
66
+
{
67
+
public function bar(): void
68
+
{
69
+
$this->dangerousLogger->log('something');
70
+
}
71
+
}
72
+
```
73
+
74
+
The attribute names in the _allow_ directives support [fnmatch()](https://www.php.net/function.fnmatch) patterns, and only one needs to match if multiple are specified.
75
+
76
+
### Allow namespace or classname use in `use` imports
77
+
78
+
You can allow a namespace or a classname to be used in `use` imports with `allowInUse: true`.
79
+
This can be useful when you want to disallow a namespace usage in a class with an attribute (with `allowExceptInClassWithAttributes` or `disallowInClassWithAttributes`),
80
+
but don't want the error to be reported on line with the `use` statement.
81
+
82
+
Let's have a class like this:
83
+
84
+
```php
85
+
use Foo\Bar\DisallowedClass; // line 1
86
+
87
+
#[MyAttribute]
88
+
class Waldo
89
+
{
90
+
91
+
public function fred(DisallowedClass $param) // line 7
92
+
{
93
+
}
94
+
95
+
}
96
+
```
97
+
98
+
Then with a configuration like this:
99
+
100
+
```neon
101
+
parameters:
102
+
disallowedNamespace:
103
+
-
104
+
namespace: 'Foo\Bar\DisallowedClass'
105
+
allowExceptInClassWithAttributes:
106
+
- MyAttribute
107
+
```
108
+
109
+
the error would be reported both on line 1, because `use Foo\Bar\DisallowedClass;` uses a disallowed namespace, and on line 7 because `$param` has the disallowed type.
110
+
But maybe you'd expect the error to be reported only on line 7, because _that_ is a disallowed class used in a class with the `MyAttribute` attribute.
111
+
112
+
To omit the `use` finding, you can add the `allowInUse` line, like this:
## Allow in class with given attributes on any method
2
+
3
+
You can allow or disallow a function or a method, an attribute, a namespace or a classname in a class where any method, including the method the call is done in, but not the class itself, has the specified attribute.
4
+
This is done with `allowInClassWithMethodAttributes` and `allowExceptInClassWithMethodAttributes` (or `disallowInClassWithMethodAttributes` which is an alias).
5
+
6
+
```neon
7
+
parameters:
8
+
disallowedNamespace:
9
+
-
10
+
class: 'Foo\Bar\DisallowedClass'
11
+
allowInClassWithMethodAttributes:
12
+
- MyAttribute
13
+
```
14
+
15
+
Given the configuration above, no error would be reported in the following source code even though `MyAttribute` is not on the method the DisallowedClass is used in, but on some other method:
16
+
17
+
```php
18
+
class Waldo
19
+
{
20
+
21
+
public function function1(): void
22
+
{
23
+
Foo\Bar\DisallowedClass::method();
24
+
}
25
+
26
+
27
+
#[MyAttribute]
28
+
private function checkThis(): void
29
+
{
30
+
}
31
+
32
+
}
33
+
```
34
+
35
+
The attribute names support [fnmatch()](https://www.php.net/function.fnmatch) patterns, and only one needs to match if multiple are specified.
## Allow in methods or functions with given attributes
2
+
3
+
Similar to [allowing items in methods or functions by name](allow-in-methods.md), you can allow or disallow items like functions and method calls, attributes, namespace and classname usage in methods and functions with given attributes.
4
+
5
+
You can use `allowInMethodsWithAttributes` (or the `allowInFunctionsWithAttributes` alias) for that:
6
+
7
+
```neon
8
+
parameters:
9
+
disallowedMethodCalls:
10
+
-
11
+
method: 'PotentiallyDangerous\Logger::log()'
12
+
allowInMethodsWithAttributes:
13
+
- MyAttribute
14
+
```
15
+
16
+
And vice versa, if you need to disallow an item in a method or a function with given attribute, use `allowExceptInMethodsWithAttributes` (with aliases `allowExceptInFunctionsWithAttributes`, `disallowInMethodsWithAttributes`, `disallowInFunctionsWithAttributes`):
17
+
18
+
```neon
19
+
parameters:
20
+
disallowedMethodCalls:
21
+
-
22
+
method: 'Controller::redirect()'
23
+
disallowInFunctionsWithAttributes:
24
+
- YourAttribute
25
+
```
26
+
27
+
The attribute names support [fnmatch()](https://www.php.net/function.fnmatch) patterns. If you specify multiple attributes, the method or the function in which the item should be allowed or disallowed, needs to have just one of them.
0 commit comments