canvural / larastan-strict-rules Goto Github PK

View Code? Open in Web Editor NEW

68.0 3.0 4.0 116 KB

Extra strict and opinionated PHPStan rules for Laravel.

License: MIT License

PHP 100.00%

php laravel phpstan phpstan-extension phpstan-strict phpstan-rules

larastan-strict-rules's Introduction

larastan-strict-rules

Extra strict and opinionated PHPStan rules for Laravel.

Installation

You can install the package via composer:

composer require --dev canvural/larastan-strict-rules

To enable all the rules, include rules.neon in your project's PHPStan config:

includes:
    - vendor/canvural/larastan-strict-rules/rules.neon

Enabling rules one-by-one

If you don't want to start using all the available strict rules at once but only one or two, you can! Just don't include the whole rules.neon from this package in your configuration, but look at its contents and copy only the rules you want to your configuration under the services key. For example:

services:
    -
        class: Vural\LarastanStrictRules\Rules\NoDynamicWhereRule
        tags:
            - phpstan.rules.rule
    -
        class: Vural\LarastanStrictRules\Rules\NoFacadeRule
        tags:
            - phpstan.rules.rule

Rules

`NoDynamicWhereRule`

This rule disallows the usage of dynamic where methods on Eloquent query builder.

`NoFacadeRule`

This rule disallows the usage of Laravel Facades. Also, checks for the real time facade usage.

`NoGlobalLaravelFunctionRule`

This rule disallows the usage of global helper functions that comes with Laravel.

If you want to allow some functions, you can use the allowedFunctions parameter for this rule. Like so:

-
    class: Vural\LarastanStrictRules\Rules\NoGlobalLaravelFunctionRule
    arguments:
        allowedFunctions:
            - app
            - event

`NoValidationInControllerRule`

This rule disallows validating the request in controllers.

`ScopeShouldReturnQueryBuilderRule`

This rule makes sure Illuminate\Database\Eloquent\Builder instance is returned from Eloquent local query scopes.

`NoLocalQueryScopeRule`

This rule disallows the usage of local model query scopes all together.

`NoPropertyAccessorRule`

This rule disallows the usage of model property accessors.

`ListenerShouldHaveVoidReturnTypeRule`

This rule makes sure your event listeners have a void return type.

If you return false from an event listener, Laravel will stop the propagation of an event to other listeners. Sometimes this can be useful. But other time it can cause bugs that you will need to debug for hours. So this opinionated rule makes sure you always have void return type for your event listeners.

You need to configure this rule by adding the directories that your event listeners are in to the listenerPaths parameter:

-
    class: Vural\LarastanStrictRules\Rules\ListenerShouldHaveVoidReturnTypeRule
    arguments:
        listenerPaths:
            - app/Listeners
            - app/DomainA/Listeners

Changelog

Please see CHANGELOG for more information on what has changed recently.

Contributing

Please see CONTRIBUTING for details.

Credits

People:

License

The MIT License (MIT). Please see License File for more information.

larastan-strict-rules's People

Contributors

Stargazers

Watchers

Forkers

szepeviktor hi-noikiy owenvoke lloricode

larastan-strict-rules's Issues

Addressing SQL Injection Vulnerabilities with Raw Methods

Ref the suggestion to Laravel core for Addressing SQL Injection Vulnerabilities with Raw Methods.

I'm happy to create a PR, where I've created this issue to discuss the implementation.

I note that you're currently using Rules, but this one might be easier to implement with Stubs; if so, I assume new folders /src/Stubs/ and /tests/Stubs/?

Also, I might need some guidance on how you would like to conditionally include these Stubs... I've only done this bit once before, using a StubFilesExtension class to conditionally getFiles().

`NoDynamicWhereRule` fails when scope is called in another class

This is something we've been experiencing for a while, but have tended to just baseline the errors.

The issue is as mentioned to you. I've attached an example below, to demonstrate the issue:

class Account extends Model
{
    public function actions(): HasMany
    {
        return $this->hasMany(AccountAction::class);
    }

    public function hasActiveActions(): bool
    {
        // There will be a failure here, as it appears to be checking for `scopeWhereActive()` on this class, rather than on the relationship model.
        return $this->actions()->whereActive()->exists();
    }
}

class AccountAction extends Model
{
    public function scopeWhereActive(Builder $query): Builder
    {
        return $query->where('is_active', true);
    }
}

The "one-by-one" configuration could be modernized a bit

Hello Can,
awesome package! I have a suggestion for you: I don't really like when people copy-paste a class name from a package and put it in their own phpstan.neon. Because it ties the maintainer's hands - you can't change the class name, you can't add constructor arguments to it.

Instead of this:

services:
    -
        class: Vural\LarastanStrictRules\Rules\NoDynamicWhereRule
        tags:
            - phpstan.rules.rule
    -
        class: Vural\LarastanStrictRules\Rules\NoFacadeRule
        tags:
            - phpstan.rules.rule

You could provide parameters so that this is possible instead:

parameters:
    larastanStrictRules:
        noDynamicWhere: true
        noFacade: true

See how it's done with conditionalTags in phpstan-strict-rules: https://github.com/phpstan/phpstan-strict-rules/blob/5c143aa605bbf392a90630773618eeaeeac7a49b/rules.neon#L50-L52

NoDynamicWhereRule is restricting the usage of wherePivot

Hire there 👋 ,

In one of our projects we use wherePivot in some cases and they appear to be flagged as "Dynamic method call"

Dynamic where method 'wherePivot' should not be used.

While wherePivot is an actual method and not a dynamic call.

I'll give it another look later but first clue would be this method

Remove test folder from composer

Seems like the package is missing a gitattributes files for not including the test folder 👍

NoDynamicWhereRule wrongly identify model scopes starting where to be a dynamic rule

NoDynamicWhereRule wrongly identify model scopes starting with where to be a dynamic rule

canvural / larastan-strict-rules Goto Github PK

larastan-strict-rules's Introduction

larastan-strict-rules

Installation

Enabling rules one-by-one

Rules

NoDynamicWhereRule

NoFacadeRule

NoGlobalLaravelFunctionRule

NoValidationInControllerRule

ScopeShouldReturnQueryBuilderRule

NoLocalQueryScopeRule

NoPropertyAccessorRule

ListenerShouldHaveVoidReturnTypeRule