Allow union deserialization using discriminator map

[idbentley]

Q	A
Bug fix?	no
New feature?	yes
Doc updated	no
BC breaks?	no
Deprecations?	no
Tests pass?	yes
Fixed tickets	#1549
License	MIT

Hi @goetas here's a simpler version of PR #1549 - this one only adds support for discriminated complex unions.

[idbentley]

Hi @goetas - I wonder if you've had a chance to look at these changes?

[goetas]

hi, sorry for the delay in my review. i have left some comments, could you answer my questions please?

after you answer to #1553 (comment), could you please update the documentation as well? most of what you need is to update /doc/reference/annotations.rst

[goetas]

something is odd with this foreach loops, you have here a nested loop the same variable (line 70 and 102). shouldn't they be independent?

[idbentley]

This was an error - removing the inner loop is the correct fix.

[goetas]

i think that is an anti pattern to leak class name into the JSON representation.... it might be a "quick thing" but it has backfired at me so many times...
It can represent also potential security issues as it allows third parties to instantiate potentially any class.
are you using this approach? (as example in the "inheritance" discriminator map this feature is intentionally requiring the discriminator map to be not empty)

[idbentley]

I'm not sure I understand the alternative to putting the className into the type.

This can happen in many ways. The simplest I can think of is:

class SomeClass {
    private MappedDiscriminatedAuthor $data
}

will result in such a type:

$type = ['name' => 'MappedDiscriminatedAuthor', 'params' => []]

I think I must be misunderstanding your question.

[goetas]

you could potentially encode in the union type already the info regarding the discriminator field and map.
advantage of it is that it would be done only once at compile cache metadata time vs at runtime as done now.
it should be much faster.

#[UnionDiscriminator(
  field: 'objectType', 
  map: [
   'author' => 'JMS\Serializer\Tests\Fixtures\MappedDiscriminatedAuthor', 
   'comment' => 'JMS\Serializer\Tests\Fixtures\MappedDiscriminatedComment'
  ]
)]

can be translated to

[
  'type' => 'union',
  'params' => [
      'objectType',
       [
        'author' => 'JMS\Serializer\Tests\Fixtures\MappedDiscriminatedAuthor', 
        'comment' => 'JMS\Serializer\Tests\Fixtures\MappedDiscriminatedComment'
       ]

  ]
]

in this way you have all the data ready in the UnionHandler and no need to fetch metadata each time

do you see it as doable approach?

[idbentley]

I'm not sure I understand what you're asking for, so I put together a commit (34439ca) that contains your ask as I understand it.

Please see the most recent commit for the change in full. Basically, my change does the following.

If a UnionDiscriminator annotation exists, then the params array on the type will be overwritten:

from

[
    'name' => 'union',
    'params' => [['name' => 'Path\Type1', 'params' => []], ['name' => 'Path\Type2', 'params' => []]
]

to

[
    'name' => 'union',
    'params' => ['type']
]

If the UnionDiscriminator annotation contains a field and a map, both are included:

[
    'name' => 'union',
    'params' => ['type', ['type1' => 'Path\Type1', ...]]
]

The UnionHandler can handle a params list that contains any of these combinations:

1. A param list of possibleTypes (if they are primitives, they will resolve if the data matches).
2. A param list with just a field name - the parameter with a matching name will be used to find the resolution type.
3. A param list with a field name and a lookup map. The parameter with a matching name will be used to lookup the final type from the lookup map.

[goetas]

Your latest version is exactly what I had in mind, nice!

The only thing left in my opinion is to address the potential security issue. With your implementation,

class ComplexDiscriminatedUnion
{
    #[UnionDiscriminator(field: 'type')]
    private DiscriminatedAuthor|DiscriminatedComment $data;

If a user sends this JSON

{
 "type":  "DOMDocument"
}

with the current implementation the serializer will attempt to instantiate a DOMDocument class and to set it to $data.

In this case DOMDocument is harmless, but any class can be passed there.

The solution here is to have the map parameter strictly necessary and only the classes in the map should be used (this is the same solution used for the inheritance version)

[idbentley]

@goetas thanks for the feedback. I think I captured all the changes you asked for!

[goetas]

this else branch still exposes the ability to pass any class name in the json and later that class will be instantiated. I think that this should be removed

[goetas]

@idbentley I took the liberty of pushing the changes my self, could you please have a look?

[idbentley]

@goetas Your changes look good to me!

[idbentley]

I'm going to be OOTO next week. Feel free to proceed without me!

[scyzoryck]

Just a thought - as the logic in growing and most probably is becoming a first class citizen - IMHO using handler might be redundant here. I guess we might go with direct implementation in GraphNavigator in the future. If we need additional logic here, having handler seems to be redundant.

[scyzoryck]

When we moved the code to the type, those fields seems to be not needed anymore. :)

[goetas]

hmm, can you please clarify? im not sure I understand