Private/protected object properties are accessible from JS

[cgwyllie]

Hi,

Not sure if this is intended behaviour or not, but it seems like a regression given the number of test cases that have comments saying private/protected properties shouldn't be accessible from the JS side.

Test code:

<?php

class Foo {

        private $privBar = "privBar";
        protected $protBar = "protBar";
        public $pubBar = "pubBar";

}

$js = new V8Js();

$js->foo = new Foo();

$script = <<<END

print(PHP.foo.privBar);
print(PHP.foo.protBar);
print(PHP.foo.pubBar);

END;

$js->executeString($script);

This prints all three strings instead of throwing an error or printing undefined for the non-public ones.

Ubuntu 13.10 PHP 5.5.3-1ubuntu2 phpv8js: e68d7073de4e6fa7797dbc78ba610bc8f5f5dbf5 v8: 735e6593693921a959ca3c82037a3a918da26362

If this is the desired behaviour, would it be possible to allow configuring this? From my point of view it's not desirable to expose priv/prot properties from PHP classes to JS.

Thanks, Chris

[stesie]

Hi,

sorry for the late response. But I agree that private/protected properties should not be accessible; in the past they actually were but this obviously changed (accidentally) when the live-binding was introduced.

Meanwhile I've started working on the issue in https://github.com/stesie/v8js/tree/fix-property-visibility. The __get behaviour is correct now, but haven't tried out set, unset (aka delete) and enumeration.

cheers stesie