NoScriptAccess for constructor

[CrosRoad95]

Hello again! i would like to disallow user to use class constrator and force to use method, how can i do this?
NoScriptAccess is not allowed for constructor

public class Foo{
  public Foo() {} // new Foo() should not be allowed
}

public class Bar{
  Foo CreateFoo(){ return new Foo(); }
}

new Foo() // throw exception
let bar = new Bar()
let foo = bar.CreateFoo() // ok

[ClearScriptLib]

Hi @CrosRoad95,

NoScriptAccess is not allowed for constructor

That's an oversight, and we'll fix it in the next release. Thanks for reporting it!

Regarding your code sample above, the JavaScript syntax new Foo() only works if you've exposed Foo via AddHostType or ToHostType. If you simply don't do that, everything will work as you expect. Script code will still have full access to objects returned by CreateFoo, but it won't be able to instantiate Foo via the new operator.

If you must expose Foo but wish to make its constructor inaccessible, you can apply NoScriptAccessAttribute via a custom attribute loader. For example:

public class MyAttributeLoader : CustomAttributeLoader {
    public override T[] LoadCustomAttributes<T>(ICustomAttributeProvider resource, bool inherit) {
        if (typeof(ScriptUsageAttribute).IsAssignableFrom(typeof(T)) && typeof(Foo).GetConstructors().Contains(resource)) {
            return new[] { new NoScriptAccessAttribute() } as T[];
        }
        return base.LoadCustomAttributes<T>(resource, inherit);
    }
}

Good luck!

[ClearScriptLib]

Fixed in Version 7.3.6.

[handerss-spotfire]

Using CustomAttributeLoader to hide the constructor does not seem to work for all types. If I add Guid or DateTime for example and then try to disallow their constructors using LoadCustomAttributes in the same way as described in #444 (comment) I'm still able to use new Guid() in my script.

EDIT: This seems to only be true for the parameter-less constructor. Blocking for example Guid.ctor(System.String) works.

[ClearScriptLib]

Hi @handerss-tibco,

This seems to only be true for the parameter-less constructor. Blocking for example Guid.ctor(System.String) works.

.NET value types don't have default constructors. C# allows you to use new without arguments to create a struct, but that's just syntax, and ClearScript expressly enables the same syntax for JavaScript. The fact is, however, that there's no actual, reflection-accessible constructor there to which one could assign custom attributes.

UPDATE: It appears that default constructors for value types were added in .NET 6 and C# 10. ClearScript will support this scenario in the next release.

Thanks!