smarty icon indicating copy to clipboard operation
smarty copied to clipboard
verified publisher icon smarty-php

Smarty registered classes check prevents use of class constants to avoid typo bugs in templates

Open arkonan opened this issue 1 year ago • 3 comments

My team makes extensive use of PHP class constants in our Smarty templates to avoid problems with typos in logic checks. With the new requirement that all classes be registered to access them statically our templates now generate deprecation warnings for each class constant.

It would be nice if class constants references (as opposed to static method calls) did not require class registration.

Alternatively I would like a supported way of overriding this behavior in a security policy. For example I would expect that overriding isTrustedStaticClass() or isTrustedStaticClassAccess() in my security policy would allow me to suppress the registered class requirement. However since the check for class registration is done outside the security policy this does not work unless the security policy also registers the class before returning. Calling Smarty::registerClass() from inside my security policy currently works but does not seem like it is a supported solution to the problem.

arkonan avatar Jun 05 '24 13:06 arkonan

Agreed, using class constants in templates helps us from keeping magic strings and numbers from proliferating through the codebase, and they're easy to grep for when determining the impact of a change. Having to add a ton of registerClass calls makes this painful and I don't see the risk of just allowing constants to be accessed as a general rule.

asmecher avatar Jun 28 '24 21:06 asmecher

Using class constants should not trigger the notice. This is probably an unintended side effect of https://github.com/smarty-php/smarty/pull/880

wisskid avatar Jul 04 '24 19:07 wisskid

I think this is referring to an issue I'm running into. Here are example files:

index.php

class MyConfig
{
	const VAR1 = 'MyConstant';
}

$smarty = new Smarty();
$smarty->setTemplateDir('./templates');
$smarty->setCompileDir('./templates_c');
$smarty->display('index.tpl');

index.tpl

Constant: {MyConfig::VAR1}

In Smarty 4.5.5, this produces this output:

PHP Deprecated:  Using unregistered static method "MyConfig::VAR1" in a template is deprecated and will be removed in a future release. Use Smarty::registerClass to explicitly register a class for access. in /path/to/vendor/smarty/smarty/libs/sysplugins/smarty_internal_templateparser.php on line 2428

Deprecated: Using unregistered static method "MyConfig::VAR1" in a template is deprecated and will be removed in a future release. Use Smarty::registerClass to explicitly register a class for access. in /path/to/vendor/smarty/smarty/libs/sysplugins/smarty_internal_templateparser.php on line 2428
Constant: MyConstant

In Smarty 5.4.2, it works as expected with no deprecation warnings. In Smarty 4, adding $smarty->registerClass('MyConfig', 'MyConfig'); does seem to solve this, but it's not ideal.

ssigwart avatar Nov 22 '24 14:11 ssigwart