bug symfony#52767 [Serializer] Fix normalization relying on allowed attributes only (mtarld)

nicolas-grekas · nicolas-grekas · commit ccead6ee30b9 · 2023-11-28T21:24:08.000+01:00
This PR was merged into the 5.4 branch. Discussion ---------- [Serializer] Fix normalization relying on allowed attributes only | Q | A | ------------- | --- | Branch? | 5.4 | Bug fix? | yes | New feature? | no | Deprecations? | no | Issues | Fix symfony#52744 | License | MIT Commits ------- ca16751 [Serializer] Fix normalization relying on allowed attributes only
diff --git a/src/Symfony/Component/Serializer/Normalizer/AbstractObjectNormalizer.php b/src/Symfony/Component/Serializer/Normalizer/AbstractObjectNormalizer.php
@@ -318,7 +318,7 @@ protected function getAttributes(object $object, ?string $format, array $context
         $allowedAttributes = $this->getAllowedAttributes($object, $context, true);
 
         if (false !== $allowedAttributes) {
-            $attributes = array_intersect($attributes, $allowedAttributes);
+            $attributes = $attributes ? array_intersect($attributes, $allowedAttributes) : $allowedAttributes;
         }
 
         if ($context['cache_key'] && \stdClass::class !== $class) {
diff --git a/src/Symfony/Component/Serializer/Tests/Normalizer/AbstractObjectNormalizerTest.php b/src/Symfony/Component/Serializer/Tests/Normalizer/AbstractObjectNormalizerTest.php
@@ -458,9 +458,39 @@ public function testNormalizeEmptyObject()
     public function testNormalizeWithIgnoreAnnotationAndPrivateProperties()
     {
         $classMetadataFactory = new ClassMetadataFactory(new AnnotationLoader(new AnnotationReader()));
-        $serializer = new Serializer([new ObjectNormalizer($classMetadataFactory)]);
+        $normalizer = new ObjectNormalizer($classMetadataFactory);
 
-        $this->assertSame(['foo' => 'foo'], $serializer->normalize(new ObjectDummyWithIgnoreAnnotationAndPrivateProperty()));
+        $this->assertSame(['foo' => 'foo'], $normalizer->normalize(new ObjectDummyWithIgnoreAnnotationAndPrivateProperty()));
+    }
+
+    public function testNormalizeBasedOnAllowedAttributes()
+    {
+        $normalizer = new class() extends AbstractObjectNormalizer {
+            protected function getAllowedAttributes($classOrObject, array $context, bool $attributesAsString = false)
+            {
+                return ['foo'];
+            }
+
+            protected function extractAttributes(object $object, string $format = null, array $context = []): array
+            {
+                return [];
+            }
+
+            protected function getAttributeValue(object $object, string $attribute, string $format = null, array $context = [])
+            {
+                return $object->$attribute;
+            }
+
+            protected function setAttributeValue(object $object, string $attribute, $value, string $format = null, array $context = [])
+            {
+            }
+        };
+
+        $object = new Dummy();
+        $object->foo = 'foo';
+        $object->bar = 'bar';
+
+        $this->assertSame(['foo' => 'foo'], $normalizer->normalize($object));
     }
 
     /**

Original file line number	Diff line number	Diff line change
`@@ -318,7 +318,7 @@ protected function getAttributes(object $object, ?string $format, array $context`
`318`	`318`	`$allowedAttributes = $this->getAllowedAttributes($object, $context, true);`
`319`	`319`
`320`	`320`	`if (false !== $allowedAttributes) {`
`321`		`- $attributes = array_intersect($attributes, $allowedAttributes);`
	`321`	`+ $attributes = $attributes ? array_intersect($attributes, $allowedAttributes) : $allowedAttributes;`
`322`	`322`	`}`
`323`	`323`
`324`	`324`	`if ($context['cache_key'] && \stdClass::class !== $class) {`