More and better tests

• Automate end-to-end tests (#336, #339; want to add your repo to end-to-end tests, see below? Let me know!)
• Run PHPStan on tests as well (#331)
• Start using the Dead Code Detector (#332, #338, #333)
• Test rule registration (#335)

Cleanup

• Ignore PHPStan’s ClassReflection::isEnum error when analyzing the extension code on PHP 7.4 (#324)
• Don’t add phpstan-ignore-errors.php into the package (#328)
• Remove the extra config file leftovers (#334)
• Remove the hasConstant check (#343)

What’s an end-to-end test?

A test to ensure the extension still works where it was working before. The test checks out a configured repository, installs the latest version of the extension, then runs PHPStan.

Allow excluding disallowed classes based on attribute (#319, thanks @morrislaptop)

If you disallow multiple classes or namespaces using an fnmatch wildcard, for example like this:

    disallowedClasses:
        -
            class: 'Foo\Bar\*Something'

… then there may be one or more classes that you’d like to exclude from all the *Something classes for some reason. Previously, starting with 2.15.0, you could exclude them by name using the exclude option:

            exclude:
                - 'Foo\Bar\NotThisSomething'

This release brings a new directive called excludeWithAttribute which you can also use to exclude items from the original set, but based on whether they have the specified attribute:

    disallowedClasses:
        -
            class: 'Foo\Bar\*Something'
            excludeWithAttribute:
                - 'MyApp\ThisAttribute'

Then if you have two classes like this:

namespace Foo\Bar;

class ThisSomething
{
}

#[\MyApp\ThisAttribute]
class ThatSomething
{
}

then only ThisSomething class would be disallowed.

excludeWithAttribute is supported for classes and namespaces for now, and supports fnmatch patterns.

Internal changes

• Make tests green when running with zend.assertions=1 (#321)

This is a follow-up to the allowInMethodsWithAttributes feature added in 4.3.1.

When you disallow the Event class (with disallowedClasses) and would like to allow it again in a method that has the Attr attribute (see the example code below), the Event class should be allowed even in the method signature. Previously, it was flagged as a disallowed usage (#315)

class Handler
{
    #[Attr]
    public function foo(Event $event) // should be allowed too
    {
        $event = new Event(); // allowed
    }
}

What’s Changed

• You can now allow some items in instanceofs (allowInInstanceOf, allowExceptInInstanceOf, allowInUse directives, docs) (#306)
• Full allow* support for all items (previously constants, superglobals and control structures didn’t support for example allowInMethods etc.) (#310)
• The extension can now be tested with PHPUnit 12.x (#309)

If this extension helps you write better code you can sponsor a release or buy me a 🍻 or a 🍰, thanks!

This bugfix release includes a better detection of disallowed attributes reallowed in a method with attributes (#304)

The original 4.3.0 release notes:

This release has been sponsored by @ticketswap & @ruudk, thank you 🍰

Re-allow in class with/by attributes (#296, #298)

So far, when you wanted to re-allow a disallowed function or a method, or specifically disallow them, you could use:

• an allowIn path to specify a path or a filename where the function or method could be called without generating an error
• or allowInMethods (or the allowInFunctions alias) to specify functions and methods in which the disallowed function would be allowed
• you could also use the companion directives disallowIn or disallowInMethods (or the allowExceptIn[...] aliases) if you wanted to list paths or methods in which the call is explicitly disallowed

Starting with this release, you can use attributes to sort of mark functions and methods in which the disallowed call would be allowed (or explicitly disallowed):

• use allowInClassWithAttributes to allow for example a method in a class that has a specified class attribute
• use allowInMethodsWithAttributes (or the disallowInFunctionsWithAttributes alias) to allow the call in methods (or function) with the given method attribute (or a function attribute)
• use allowInClassWithMethodAttributes to allow a call in a class where any method has the attribute, where “any method” includes any other method as well, static or not, public, private, or protected
• you can also use the disallowIn[...] counterparts (with allowExceptIn[...] aliases) to specify only classes and methods in which the call should be disallowed

This allows you to create rules that do not depend on paths or method names, and can be useful if you’re working with frameworks or libs that already use attributes. You can specify multiple items in the directives above and only one of them needs to match (it’s not an AND list, more like OR list) and they all support fnmatch patterns.

Other minor changes

• More callable param tests for a bugfix in the previous release (#295)
• Call fnmatch less often only when needed (#297)
• Tweak attribute example in the disallowedAttributes docs (#299, thanks @ruudk)

You too can sponsor a release or buy me a 🍻 or a 🍰, thanks!

This release has been sponsored by @ticketswap & @ruudk, thank you 🍰

Re-allow in class with/by attributes (#296, #298)

So far, when you wanted to re-allow a disallowed function or a method, or specifically disallow them, you could use:

• an allowIn path to specify a path or a filename where the function or method could be called without generating an error
• or allowInMethods (or the allowInFunctions alias) to specify functions and methods in which the disallowed function would be allowed
• you could also use the companion directives disallowIn or disallowInMethods (or the allowExceptIn[...] aliases) if you wanted to list paths or methods in which the call is explicitly disallowed

Starting with this release, you can use attributes to sort of mark functions and methods in which the disallowed call would be allowed (or explicitly disallowed):

• use allowInClassWithAttributes to allow for example a method in a class that has a specified class attribute
• use allowInMethodsWithAttributes (or the disallowInFunctionsWithAttributes alias) to allow the call in methods (or function) with the given method attribute (or a function attribute)
• use allowInClassWithMethodAttributes to allow a call in a class where any method has the attribute, where “any method” includes any other method as well, static or not, public, private, or protected
• you can also use the disallowIn[...] counterparts (with allowExceptIn[...] aliases) to specify only classes and methods in which the call should be disallowed

This allows you to create rules that do not depend on paths or method names, and can be useful if you’re working with frameworks or libs that already use attributes. You can specify multiple items in the directives above and only one of them needs to match (it’s not an AND list, more like OR list) and they all support fnmatch patterns.

Other minor changes

• More callable param tests for a bugfix in the previous release (#295)
• Call fnmatch less often only when needed (#297)
• Tweak attribute example in the disallowedAttributes docs (#299, thanks @ruudk)

You too can sponsor a release or buy me a 🍻 or a 🍰, thanks!

What’s Changed

• Check just one callable parameter variant (#293) this fixes a rather rare regression introduced in 4.1.1.

What’s new

• Can disallow isset() in disallowedFunctionCalls (#289, thanks @ksaveras!)
• Can disallow unset, too (#291)

Internal change

• array_merge arrays with error messages only when not empty, this should speed things up a bit, maybe (#287)

This version replaces 4.1.0 in which callables were not detected in constructors. The notes below are taken from 4.1.0.

This release adds new detections listed below, meaning it’s possible that you’ll see new error messages.

First class callable syntax (#279), for example:

$func = print_r(...);

Dynamic calls (#276, #278), for example:

$func('foo');
$object->$method();

Test anonymous class usages (#277), for example:

$foo = new class implements ...
$foo = new class extends ...

Anonymous class usages (when the anonymous class extends DisallowedClass for example) were detected before, however the detection is now tested.

Detect callable parameters (#281, #283, #285), for example:

array_map('function', []);
array_map([$object, 'method'], []);
array_map([Class::class, 'staticMethod']);

This release has been replaced by 4.1.1 which also detects callables in constructors, unlike this version.