array_column should not extract non-accessible properties from objects

PHP's array_column respects calling scope visibility. This change:
- Checks scope->canReadProperty() before including a property type
- When both __isset and __get are defined, treats inaccessible
  properties as maybe-accessible (returns generic array)
- Handles NeverType in index position by falling back to integer keys

Fixes phpstan/phpstan#13573

Author: janedbal

src/Type/Php/ArrayColumnHelper.php

@@ -53,6 +53,9 @@ public function getReturnIndexType(Type $arrayType, Type $indexType, Scope $scop
 			$iterableValueType = $arrayType->getIterableValueType();
 
 			[$type, $certainty] = $this->getOffsetOrProperty($iterableValueType, $indexType, $scope);
+			if ($type instanceof NeverType) {
+				return new IntegerType();
+			}
 			if ($certainty->yes()) {
 				return $type;
 			}
@@ -98,7 +101,9 @@ public function handleConstantArray(ConstantArrayType $arrayType, Type $columnTy
 
 			if (!$indexType->isNull()->yes()) {
 				[$type, $certainty] = $this->getOffsetOrProperty($iterableValueType, $indexType, $scope);
-				if ($certainty->yes()) {
+				if ($type instanceof NeverType) {
+					$keyType = null;
+				} elseif ($certainty->yes()) {
 					$keyType = $type;
 				} else {
 					$keyType = TypeCombinator::union($type, new IntegerType());
@@ -147,7 +152,17 @@ private function getOffsetOrProperty(Type $type, Type $offsetOrProperty, Scope $
 					continue;
 				}
 
-				$returnTypes[] = $type->getInstanceProperty($propertyName, $scope)->getReadableType();
+				$property = $type->getInstanceProperty($propertyName, $scope);
+				if (!$scope->canReadProperty($property)) {
+					foreach ($type->getObjectClassReflections() as $classReflection) {
+						if ($classReflection->hasMethod('__isset') && $classReflection->hasMethod('__get')) {
+							return [new MixedType(), TrinaryLogic::createMaybe()];
+						}
+					}
+					continue;
+				}
+
+				$returnTypes[] = $property->getReadableType();
 			}
 		}
 

tests/PHPStan/Analyser/nsrt/array-column-php82.php

@@ -237,3 +237,122 @@ public function doFoo(array $a): void
 	}
 
 }
+
+class ObjectWithVisibility
+{
+	public int $pub = 1;
+	protected int $prot = 2;
+	private int $priv = 3;
+}
+
+class ArrayColumnVisibilityTest
+{
+
+	/** @param array<int, ObjectWithVisibility> $objects */
+	public function testNonPublicProperties(array $objects): void
+	{
+		assertType('list<int>', array_column($objects, 'pub'));
+		assertType('array{}', array_column($objects, 'prot'));
+		assertType('array{}', array_column($objects, 'priv'));
+	}
+
+	/** @param array{ObjectWithVisibility} $objects */
+	public function testNonPublicPropertiesConstant(array $objects): void
+	{
+		assertType('array{int}', array_column($objects, 'pub'));
+		assertType('array{}', array_column($objects, 'prot'));
+		assertType('array{}', array_column($objects, 'priv'));
+	}
+
+	/** @param array<int, ObjectWithVisibility> $objects */
+	public function testNonPublicAsIndex(array $objects): void
+	{
+		assertType('array<int, int>', array_column($objects, 'pub', 'pub'));
+		assertType('array<int, int>', array_column($objects, 'pub', 'priv'));
+	}
+
+}
+
+class ArrayColumnVisibilityFromInsideTest
+{
+
+	public int $pub = 1;
+	private int $priv = 2;
+
+	/** @param list<self> $objects */
+	public function testFromInside(array $objects): void
+	{
+		assertType('list<int>', array_column($objects, 'pub'));
+		assertType('list<int>', array_column($objects, 'priv'));
+	}
+
+}
+
+class ArrayColumnVisibilityFromChildTest extends ObjectWithVisibility
+{
+
+	/** @param list<ObjectWithVisibility> $objects */
+	public function testFromChild(array $objects): void
+	{
+		assertType('list<int>', array_column($objects, 'pub'));
+		assertType('list<int>', array_column($objects, 'prot'));
+		assertType('array{}', array_column($objects, 'priv'));
+	}
+
+}
+
+class ObjectWithIssetOnly
+{
+	private int $priv = 2;
+
+	public function __isset(string $name): bool
+	{
+		return true;
+	}
+}
+
+class ArrayColumnVisibilityWithIssetOnlyTest
+{
+
+	/** @param array<int, ObjectWithIssetOnly> $objects */
+	public function testWithIssetOnly(array $objects): void
+	{
+		assertType('array{}', array_column($objects, 'priv'));
+	}
+
+}
+
+class ObjectWithIsset
+{
+	public int $pub = 1;
+	private int $priv = 2;
+
+	public function __isset(string $name): bool
+	{
+		return true;
+	}
+
+	public function __get(string $name): mixed
+	{
+		return $this->$name;
+	}
+}
+
+class ArrayColumnVisibilityWithIssetTest
+{
+
+	/** @param array<int, ObjectWithIsset> $objects */
+	public function testWithIsset(array $objects): void
+	{
+		assertType('list<int>', array_column($objects, 'pub'));
+		assertType('list', array_column($objects, 'priv'));
+	}
+
+	/** @param array{ObjectWithIsset} $objects */
+	public function testWithIssetConstant(array $objects): void
+	{
+		assertType('array{int}', array_column($objects, 'pub'));
+		assertType('list', array_column($objects, 'priv'));
+	}
+
+}

tests/PHPStan/Analyser/nsrt/array-column.php

@@ -252,3 +252,122 @@ public function doFoo(array $a): void
 	}
 
 }
+
+class ObjectWithVisibility
+{
+	public int $pub = 1;
+	protected int $prot = 2;
+	private int $priv = 3;
+}
+
+class ArrayColumnVisibilityTest
+{
+
+	/** @param array<int, ObjectWithVisibility> $objects */
+	public function testNonPublicProperties(array $objects): void
+	{
+		assertType('list<int>', array_column($objects, 'pub'));
+		assertType('array{}', array_column($objects, 'prot'));
+		assertType('array{}', array_column($objects, 'priv'));
+	}
+
+	/** @param array{ObjectWithVisibility} $objects */
+	public function testNonPublicPropertiesConstant(array $objects): void
+	{
+		assertType('array{int}', array_column($objects, 'pub'));
+		assertType('array{}', array_column($objects, 'prot'));
+		assertType('array{}', array_column($objects, 'priv'));
+	}
+
+	/** @param array<int, ObjectWithVisibility> $objects */
+	public function testNonPublicAsIndex(array $objects): void
+	{
+		assertType('array<int, int>', array_column($objects, 'pub', 'pub'));
+		assertType('array<int, int>', array_column($objects, 'pub', 'priv'));
+	}
+
+}
+
+class ArrayColumnVisibilityFromInsideTest
+{
+
+	public int $pub = 1;
+	private int $priv = 2;
+
+	/** @param list<self> $objects */
+	public function testFromInside(array $objects): void
+	{
+		assertType('list<int>', array_column($objects, 'pub'));
+		assertType('list<int>', array_column($objects, 'priv'));
+	}
+
+}
+
+class ArrayColumnVisibilityFromChildTest extends ObjectWithVisibility
+{
+
+	/** @param list<ObjectWithVisibility> $objects */
+	public function testFromChild(array $objects): void
+	{
+		assertType('list<int>', array_column($objects, 'pub'));
+		assertType('list<int>', array_column($objects, 'prot'));
+		assertType('array{}', array_column($objects, 'priv'));
+	}
+
+}
+
+class ObjectWithIssetOnly
+{
+	private int $priv = 2;
+
+	public function __isset(string $name): bool
+	{
+		return true;
+	}
+}
+
+class ArrayColumnVisibilityWithIssetOnlyTest
+{
+
+	/** @param array<int, ObjectWithIssetOnly> $objects */
+	public function testWithIssetOnly(array $objects): void
+	{
+		assertType('array{}', array_column($objects, 'priv'));
+	}
+
+}
+
+class ObjectWithIsset
+{
+	public int $pub = 1;
+	private int $priv = 2;
+
+	public function __isset(string $name): bool
+	{
+		return true;
+	}
+
+	public function __get(string $name): mixed
+	{
+		return $this->$name;
+	}
+}
+
+class ArrayColumnVisibilityWithIssetTest
+{
+
+	/** @param array<int, ObjectWithIsset> $objects */
+	public function testWithIsset(array $objects): void
+	{
+		assertType('list<int>', array_column($objects, 'pub'));
+		assertType('list', array_column($objects, 'priv'));
+	}
+
+	/** @param array{ObjectWithIsset} $objects */
+	public function testWithIssetConstant(array $objects): void
+	{
+		assertType('array{int}', array_column($objects, 'pub'));
+		assertType('list', array_column($objects, 'priv'));
+	}
+
+}