Effective C#之23:Avoid Returning References to Internal Class Objects

Item 23: Avoid Returning References to Internal Class Objects


You'd like to think that a read-only property is read-only and that callers can't modify it. Unfortunately, that's not always the way it works. If you create a property that returns a reference type, the caller can access any public member of that object, including those that modify the state of the property. For example:



  1.    public class MyBusinessObject
  2.     {
  3.       // Read Only property providing access to a private data member:
  4.       private DataSet ds;
  5.       public DataSet Data
  6.       {
  7.         get  { return ds;}
  8.        }
  9. }
  11.     // Access the dataset:
  12.     DataSet ds = bizObj.Data;
  13.     // Not intended, but allowed:
  14. ds.Tables.Clear( ); // Deletes all data tables.

Any public client of MyBusinessObject can modify your internal dataset. You created properties to hide your internal data structures. You provided methods to let clients manipulate the data only through known methods, so your class can manage any changes to internal state. And then a read-only property opens a gaping hole in your class encapsulation. It's not a read-write property, where you would consider these issues, but a read-only property.


Welcome to the wonderful world of reference-based systems. Any member that returns a reference type returns a handle to that object. You gave the caller a handle to your internal structures, so the caller no longer needs to go through your object to modify that contained reference.


Clearly, you want to prevent this kind of behavior. You built the interface to your class, and you want users to follow it. You don't want users to access or modify the internal state of your objects without your knowledge. You've got four different strategies for protecting your internal data structures from unintended modifications: value types, immutable types, interfaces, and wrappers.


Value types are copied when clients access them through a property. Any changes to the copy retrieved by the clients of your class do not affect your object's internal state. Clients can change the copy as much as necessary to achieve their purpose. This does not affect your internal state.


Immutable types, such as System.String, are also safe. You can return strings, or any immutable type, safely knowing that no client of your class can modify the string. Your internal state is safe.


The third option is to define interfaces that allow clients to access a subset of your internal member's functionality (see Item 19). When you create your own classes, you can create sets of interfaces that support subsets of the functionality of your class. By exposing the functionality through those interfaces, you minimize the possibility that your internal data changes in ways you did not intend. Clients can access the internal object through the interface you supplied, which will not include the full functionality of the class. Exposing the IListsource interface pointer in the DataSet is one example of this strategy. The Machiavellian programmers out there can defeat that by guessing the type of the object that implements the interface and using a cast. But programmers who go to that much work to create bugs get what they deserve.


The System.Dataset class also uses the last strategy: wrapper objects. The DataViewManager class provides a way to access the DataSet but prevents the mutator methods available through the DataSet class:


  1. public class MyBusinessObject
  2. {
  3.   // Read Only property providing access to a private data member:
  4.   private DataSet da;
  5.   public DataView thisstring tableName ]
  6.   {
  7.     get
  8.     {
  9.       return da.DefaultViewManager.CreateDataView( da.Tables[ tableName ] );
  10.     }
  11.   }
  12. }
  14. // Access the dataset:
  15. DataView list = bizObj[ "customers" ];
  16. foreach ( DataRowView r in list )
  17.   Console.WriteLine( r[ "name" ] );

The DataViewManager creates DataViews to access individual data tables in the DataSet. There is no way for the user of your class to modify the tables in your DataSet through the DataViewManager. Each DataView can be configured to allow the modification of individual data elements. But the client cannot change the tables or columns of data. Read/write is the default, so clients can still add, modify, or delete individual items.


Before we talk about how to create a completely read-only view of the data, let's take a brief look at how you can respond to changes in your data when you allow public clients to modify it. This is important because you'll often want to export a DataView to UI controls so that the user can edit the data (see Item 38). You've undoubtedly already used Windows forms data binding to provide the means for your users to edit private data in your objects. The DataTable class, inside the DataSet, raises events that make it easy to implement the observer pattern: Your classes can respond to any changes that other clients of your class have made. The DataTable objects inside your DataSet will raise events when any column or row changes in that table. The ColumnChanging and RowChanging events are raised before an edit is committed to the DataTable. The ColumnChanged and RowChanged events are raised after the change is committed.

在我们讨论如何创建一个完全只读的数据视图之前,让我们大概的来看一下,在允许公共客户修改数据的时候,你应该做出什么反应。这很重要,因为你经常希望向UI控件暴露DataView,那样的话用户可以编辑数据(Item38)。毫无疑问,你已经使用过Windows窗体数据绑定,做为你的用户编辑你对象私有数据的一种方式。DataSet内部的DataTable类产生事件,使得实现观察者模式很容易:你的类能最对客户做出的任何修改做出响应。DataSet内部的DataTable在表格内的任何行或者列发生变化的时候,会产生事件。ColumnChanging RowChanging事件在有编辑提交给DataTable之前发生,ColumnChanged RowChanged在修改提交之后发生。

You can generalize this technique anytime you want to expose internal data elements for modification by public clients, but you need to validate and respond to those changes. Your class subscribes to events generated by your internal data structure. Event handlers validate changes or respond to those changes by updating other internal state.


Going back to the original problem, you want to let clients view your data but not make any changes. When your data is stored in a DataSet, you can enforce that by creating a DataView for a table that does not allow any changes. The DataView class contains properties that let you customize support for add, delete, modification, or even sorting of the particular table. You can create an indexer to return a customized DataView on the requested table using an indexer:



  1.    public class MyBusinessObject
  2.     {
  3.         // Read Only property providing access to a
  4.         // private data member:
  5.         private DataSet ds;
  6.         public IList this[string tableName]
  7.         {
  8.             get
  9.             {
  10.                 DataView view =ds.DefaultViewManager.CreateDataView(ds.Tables[tableName]);
  11.                 view.AllowNew = false;
  12.                 view.AllowDelete = false;
  13.                 view.AllowEdit = false;
  14.                 return view;
  15.             }
  16.         }
  17. }
  18.     // Access the dataset:
  19.     IList dv = bizOjb["customers"];
  20.     foreach (DataRowView r in dv)
  21.         Console.WriteLine(r["name"]);

This final excerpt of the class returns the view into a particular data table through its IList interface reference. You can use the IList interface with any collection; it's not specific to the DataSet. You should not simply return the DataView object. Users could easily enable the editing and add/delete capability again. The view you are returning has been customized to disallow any modifications to the objects in the list. Returning the IList pointer keeps clients from modifying the rights they have been given to the DataView object.


Exposing reference types through your public interface allows users of your object to modify its internals without going through the methods and properties you've defined. That seems counterintuitive, which makes it a common mistake. You need to modify your class's interfaces to take into account that you are exporting references rather than values. If you simply return internal data, you've given access to those contained members. Your clients can call any method that is available in your members. You limit that access by exposing private internal data using interfaces, or wrapper objects. When you do want your clients to modify your internal data elements, you should implement the Observer pattern so that your objects can validate changes or respond to them.






