You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When a function or method is used as a first-class callable, no arguments are present at the detection point - they are supplied only when the callable is eventually invoked, so parameter conditions cannot be evaluated at the call site.
Conditions that restrict which calls are allowed (`allowParamsAnywhere`, `allowParamsInAllowed`, and their `AnyValue` and `Flags` variants) require a matching param value. Because no args are present the condition can never be satisfied, so first-class callables are always reported when these directives are configured.
Conditions that restrict which calls are disallowed (`allowExceptParamsAnywhere`, `allowExceptParamsInAllowed`, and their variants and aliases) require a matching param value to trigger the disallow. Because no args are present the forbidden condition can never be triggered, so first-class callables are never reported when these directives are configured.
Copy file name to clipboardExpand all lines: docs/allow-with-parameters.md
+8Lines changed: 8 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -208,6 +208,14 @@ parameters:
208
208
209
209
But because the "positional _or_ named" limitation described above applies here as well, I generally don't recommend using these shortcuts and instead recommend specifying both `position` and `name` keys.
210
210
211
+
### First-class callables
212
+
213
+
When a function or method is used as a [first-class callable](https://www.php.net/functions.first_class_callable_syntax) (`strlen(...)`), no arguments are present at the call site - the callable is invoked later with whatever arguments the caller passes. Because parameter conditions that restrict which calls are *allowed* (`allowParamsInAllowed`, `allowParamsInAllowedAnyValue`, `allowParamFlagsInAllowed`, `allowParamsAnywhere`, `allowParamsAnywhereAnyValue`, `allowParamFlagsAnywhere`) cannot be evaluated without arguments, any first-class callable is always reported when such a condition is configured, no matter where in the code it appears.
214
+
215
+
Conditions that restrict which calls are *disallowed* behave differently - the forbidden parameter condition cannot be triggered without arguments. For the `*Anywhere` variants (`allowExceptParamsAnywhere`, `allowExceptParamsAnyValue`, `allowExceptParamFlags`, `allowExceptCaseInsensitiveParams`, and their aliases), first-class callables are never reported. For the `*InAllowed` variants (`allowExceptParamsInAllowed`, `allowExceptParamFlagsInAllowed`, and their aliases), first-class callables are not reported inside the relevant zone; outside it, the zone rule alone determines whether the call is reported.
216
+
217
+
To allow a first-class callable of a disallowed function, use a zone-based directive without a parameter condition, for example `allowIn`, `allowInMethods`, or `allowInInstanceOf`. Alternatively, use an anonymous function that calls the function with the required argument: `fn($x) => hash('sha256', $x)` instead of `hash(...)`.
218
+
211
219
### PHPDoc type strings
212
220
213
221
Instead of the `value` directive, you can use the `typeString` directive which allows you to specify arrays, unions, and anything that can be expressed with PHPDoc:
0 commit comments