| ============== |
| Access Control |
| ============== |
| |
| The general guiding principle of Swift access control: |
| |
| **No entity can be defined in terms of another entity that has a lower |
| access level.** |
| |
| There are three levels of access: "private", "internal", and "public". |
| Private entities can only be accessed from within the source file where they |
| are defined. Internal entities can be accessed anywhere within the module they |
| are defined. Public entities can be accessed from anywhere within the module |
| and from any other context that imports the current module. |
| |
| The names ``public`` and ``private`` have precedent in many languages; |
| ``internal`` comes from C#. In the future, ``public`` may be used for both API |
| and SPI, at which point we may design additional annotations to distinguish the |
| two. |
| |
| By default, most entities in a source file have ``internal`` access. |
| This optimizes for the most common case—a single-target application |
| project—while not accidentally revealing entities to clients of a framework |
| module. |
| |
| .. contents:: :local: |
| |
| Rules |
| ====== |
| |
| Access to a particular entity is considered relative to the current |
| *access context.* The access context of an entity is the current |
| file (if ``private``), the current module (if ``internal``), or the current |
| program (if ``public``). A reference to an entity may only be written within |
| the entity's access context. |
| |
| If a particular entity is not accessible, it does not appear in name lookup, |
| unlike in C++. However, access control does not restrict access to members via |
| runtime reflection (where applicable), nor does it necessarily restrict |
| visibility of symbols in a linked binary. |
| |
| |
| Globals and Members |
| ------------------- |
| |
| A global function, constant, or variable may have any access level less than |
| or equal to the access level of its type. That is, a ``private`` constant can |
| have ``public`` type, but not the other way around. |
| |
| Accessors for variables have the same access level as their associated variable. |
| The setter may be explicitly annotated with an access level less than or equal |
| to the access level of the variable; this is written as ``private(set)`` or |
| ``internal(set)`` before the ``var`` introducer. |
| |
| An initializer, method, subscript, or property may have any access level less |
| than or equal to the access level of its type (including the implicit 'Self' |
| type), with a few additional rules: |
| |
| - If the type's access level is ``private``, the access level of members |
| defaults to ``private``. If the type's access level is ``internal`` or |
| ``public``, the access level of members defaults to ``internal``. |
| |
| - If a member is used to satisfy a protocol requirement, its access level must |
| be at least as high as the protocol conformance's; see :ref:`Protocols` below. |
| |
| - If an initializer is ``required`` by a superclass, its access level must be |
| at least as high as the access level of the subclass itself. |
| |
| - Accessors for subscripts follow the same rules as accessors for variables. |
| |
| - A member may be overridden whenever it is accessible. |
| |
| The implicit memberwise initializer for a struct has the minimum access level |
| of all of the struct's stored properties, except that if all properties are |
| ``public`` the initializer is ``internal``. The implicit no-argument |
| initializer for structs and classes follows the default access level for the |
| type. |
| |
| Currently, enum cases always have the same access level as the enclosing enum. |
| |
| Deinitializers are only invoked by the runtime and do not nominally have access. |
| Internally, the compiler represents them as having the same access level as the |
| enclosing type. |
| |
| |
| .. _Protocols: |
| |
| Protocols |
| --------- |
| |
| A protocol may have any access level less than or equal to the access levels |
| of the protocols it refines. That is, a ``private`` ExtendedWidget protocol can |
| refine a ``public`` Widget protocol, but not the other way around. |
| |
| The access level of a requirement is the access level of the enclosing |
| protocol, even when the protocol is ``public``. Currently, requirements may not |
| be given a lower access level than the enclosing protocol. |
| |
| Swift does not currently support private protocol conformances, so for runtime |
| consistency, the access level of the conformance of type T to protocol P is |
| equal to the minimum of T's access level and P's access level; that is, the |
| conformance is accessible whenever both T and P are accessible. This does not |
| change if the protocol is conformed to in an extension. (The access level of a |
| conformance is not currently reflected in the source, but is a useful concept |
| for applying restrictions consistently.) |
| |
| All members used to satisfy a conformance must have an access level at least as |
| high as the conformance's. This ensures consistency between views of the type; |
| if any member has a *lower* access level than the conformance, then the member |
| could be accessed anyway through a generic function constrained by the protocol. |
| |
| .. note:: |
| |
| This rule disallows an ``internal`` member of a protocol extension to satisfy |
| a ``public`` requirement for a ``public`` type. Removing this limitation is |
| not inherently unsafe, but (a) may be unexpected given the lack of explicit |
| reference to the member, and (b) results in references to non-public symbols |
| in the current representation. |
| |
| A protocol may be used as a type whenever it is accessible. A nominal can |
| conform to a protocol whenever the protocol is accessible. |
| |
| |
| Structs, Enums, and Classes |
| --------------------------- |
| |
| A struct, enum, or class may be used as a type whenever it is accessible. A |
| struct, enum, or class may be extended whenever it is accessible. |
| |
| A class may be subclassed whenever it is accessible. A class may have any |
| access level less than or equal to the access level of its superclass. |
| |
| Members in an extension have the same default access level as members declared |
| within the extended type. However, an extension may be marked with an explicit |
| access modifier (e.g. ``private extension``), in which case the default |
| access level of members within the extension is changed to match. |
| |
| Extensions with explicit access modifiers may not add new protocol |
| conformances, since Swift does not support private protocol conformances |
| (see :ref:`Protocols` above). |
| |
| A type may conform to a protocol with lower access than the type itself. |
| |
| |
| Types |
| ----- |
| |
| A nominal type's access level is the same as the access level of the nominal |
| declaration itself. A generic type's access level is the minimum of the access |
| level of the base type and the access levels of all generic argument types. |
| |
| A tuple type's access level is the minimum of the access levels of its |
| elements. A function type's access level is the minimum of the access levels of |
| its input and return types. |
| |
| A typealias may have any access level up to the access level of the type it |
| aliases. That is, a ``private`` typealias can refer to a ``public`` type, but |
| not the other way around. This includes associated types used to satisfy |
| protocol conformances. |
| |
| |
| Runtime Guarantees |
| ================== |
| |
| Non-``public`` members of a class or extension will not be seen by subclasses |
| or other extensions from outside the module. Therefore, members of a subclass |
| or extension will not conflict with or inadvertently be considered to override |
| non-accessible members of the superclass. |
| |
| Both ``private`` and ``internal`` increase opportunities for devirtualization, |
| though it is still possible to put a subclass of a ``private`` class within the |
| same file. |
| |
| Most information about a non-``public`` entity still has to be put into a |
| module file for now, since we don't have resilience implemented. This can be |
| improved later, and is no more revealing than the information currently |
| available in the runtime for pure Objective-C classes. |
| |
| |
| Interaction with Objective-C |
| ---------------------------- |
| |
| If an entity is exposed to Objective-C, most of the runtime guarantees and |
| optimization opportunities go out the window. We have to use a particular |
| selector for members, everything can be inspected at runtime, and even a |
| private member can cause selector conflicts. In this case, access control is |
| only useful for discipline purposes. |
| |
| Members explicitly marked ``private`` are *not* exposed to Objective-C unless |
| they are also marked ``@objc`` (or ``@IBAction`` or similar), even if declared |
| within a class implicitly or explicitly marked ``@objc``. |
| |
| Any ``public`` entities will be included in the generated header. In an |
| application or unit test target, ``internal`` entities will be exposed as well. |
| |
| |
| Non-Goals: "class-only" and "protected" |
| ======================================= |
| |
| This proposal omits two forms of access control commonly found in other |
| languages, a "class-implementation-only" access (often called "private"), and a |
| "class and any subclasses" access (often called "protected"). We chose not to |
| include these levels of access control because they do not add useful |
| functionality beyond ``private``, ``internal``, and ``public``. |
| |
| "class-only" |
| If "class-only" includes extensions of the class, it is clear that it |
| provides no protection at all, since a class may be extended from any context |
| where it is accessible. So a hypothetical "class-only" must already be |
| limited with regards to extensions. Beyond that, however, a "class-only" |
| limit forces code to be declared within the class that might otherwise |
| naturally be a top-level helper or an extension method on another type. |
| |
| ``private`` serves the proper use case of limiting access to the |
| implementation details of a class (even from the rest of the module!) while |
| not requiring that all of those implementation details be written lexically |
| inside the class. |
| |
| "protected" |
| "protected" access provides no guarantees of information hiding, since any |
| subclass can now access the implementation details of its superclass---and |
| expose them publicly, if it so chooses. This interacts poorly with our future |
| plans for resilient APIs. Additionally, it increases the complexity of the |
| access control model for both the compiler and for developers, and like |
| "class-only" it is not immediately clear how it interacts with extensions. |
| |
| Though it is not compiler-enforced, members that might be considered |
| "protected" are effectively publicly accessible, and thus should be marked |
| ``public`` in Swift. They can still be documented as intended for overriding |
| rather than for subclassing, but the specific details of this are best dealt |
| with on a case-by-case basis. |
| |
| |
| Potential Future Directions |
| =========================== |
| |
| - Allowing ``private`` or ``internal`` protocol conformances, which are only |
| accessible at compile-time from a particular access context. |
| |
| - Limiting particular capabilities, such as marking something ``final(public)`` |
| to restrict subclassing or overriding outside of the current module. |
| |
| - Allowing the Swift parts of a mixed-source framework to access private |
| headers. |
| |
| - Revealing ``internal`` Swift API in a mixed-source framework in a second |
| generated header. |
| |
| - Levels of ``public``, for example ``public("SPI")``. |
| |
| - Enum cases less accessible than the enum. |
| |
| - Protocol requirements less accessible than the protocol. |
