Just a simple use case showing how dangerous that is :
<?php
$p = function($p) { $this->$p = new Stdclass; };
$p->call($e = new Exception, 'trace');
throw $e;
That nearly crashes PHP7.
http://3v4l.org/fJj22
(The same trick using Reflection with PHP5 crashes the engine, this is a
known bug that we chose not to fix).
I am absolutely not confident at all having Closure::call() beeing able to
access private data.
Private is private.
For internal classes, this is even worse, and could lead to crash (look at
the example about Exception).
Changing a variable that is private, is absolutely NOT expected from the
class designer.
For User classes, this could lead to information leaks or bad behaviors,
and for internal classes this is even worse and could easilly segfault or
with a little bit of more magic and brain sauce, lead to memory disclosures.
I would like we re-open the debate about accessign private data with
external code (closure), especially in a write context.
Julien.P
