[HttpFoundation] Add #[\NoDiscard] attribute to UriSigner check methods
#61147
Conversation
|
Hey! Thanks for your PR. You are targeting branch "7.4" but it seems your PR description refers to branch "7.4 for features / 6.4, 7.2, or 7.3 for bug fixes". Cheers! Carsonbot |
|
I wrote my opinion on #60429 (comment) before:
|
|
I see, never thought about have them on wither methods, as I maybe not personally fan of that pattern 😆. For me it really only thought it handy for |
|
I get it. But this looks like a can of worms to me. You did spot the issue, and Q&A is the way to find such issue IMHO. |
Let me give an example from few weeks ago in favor of private function loginViaCode(Request $request): Response
{
// find user, check the code in URL query first...
$this->security->login($user);
return $this->redirectToRoute('some_route');
}It all worked, couldn't be any simpler. But later the task was updated: when the user logs in, check if they are synced with Stripe and redirect them to sync page if they are not. So I hooked into public function __invoke(LoginSuccessEvent $event): void
{
// check if front-facing route, check $user->isSyncedWithStripe(), early return here
// not synced: doesn't matter how they are logged in, redirect them to sync page
$route = $this->router->generate('stripe_sync_page');
$response = new RedirectResponse($route);
$event->setResponse($response);
$event->stopPropagation();
}But it didn't work; listener was triggered, but user didn't get redirected to private function loginViaCode(Request $request): Response
{
// find user, check the code in URL query first...
return $this->security->login($user) ?? $this->redirectToRoute('some_route');
}And then it all started to work. I think this is a perfect use-case for // Security.php
#[NoDiscard('as event hooks and authenticator can put their own response')
public function login(UserInterface $user, ...): Response|null
{}The problem: Adding |
|
Couldn't all this be done with a custom PHPStan rule? Could be added to phpstan-symfony |
Yes, that is true, I just didn't want to put even more text to the comment above. For a silly reason, I added But not everyone checks for unused return type, and it would also require extra rule (there is one, but can't find it) in phpstan. Where as having an exception with clear message would work on language level. So for as long as users can change their static analysis level, I don't think Symfony or any other package should rely on this check. There is more. I never use fluent setters, but vast majority of the users do. Even maker bundle creates entities with fluent setter. So if users enable global detection of unused return types, all that code will start to report errors. So it is highly likely that users will simply disable the check on global level (i.e. not just on Entity directory), and then forget about it. |
|
@zmitic thanks for the example. If I understand correctly, you worked on the listener and you spent some time figuring out why it didn't work. The NoDiscard would have saved you some time, but it wouldn't really have prevented you from shipping the issue to prod, since you experienced it during the dev cycle. On the other end, ignoring the return value of the All this is why I think NoDiscard is not an improvement to anything. Yes, it would have saved you some time in this situation, but there are hundreds ways one can mess up before figuring out the correct code. This special case is not so special to me. It's just a random one that shouldn't deserve so much (syntax) attention. |
OskarStark
changed the title
#[\NoDiscard] attribute to UriSigner check methods
carsonbot
changed the title
#[\NoDiscard] attribute to UriSigner check methods#[\NoDiscard] attribute to UriSigner check methods
|
I'm 👎 on this one as well. Now that return types are everywhere, you should (almost) never ignore the return of a function/method other than void. I also believe that IDEs issue warnings when the return of a function is not used. Finally, I have the feeling that if we add it here, why not add it to all codebase methods that aren't void? |
|
@alexandre-daubois fluent interfaces are an example typical the return don't need to managed handled. So no it's not about always where there is no void return type. What methods require to handle a return are methods which are But I understand that the line is hard to define for Symfony itself, why I personally only see it as part of Security related services. So I think we will end in the same state as for pure that it might be better as part of phpstan-symfony package. |
|
Let's close, thanks for proposing and for the discussion. |
There are sure more services which may be interesting but want to start with this one to discuss if we adopt:
https://wiki.php.net/rfc/marking_return_value_as_important
In the symfony workspace.
As I know there is nothing wrong to add a attribute which may not exist at that PHP version which we already had in the past with the ReturnTypeWillChange attributes.