Developers are often adding new APIs with methods that receive HttpServletRequest, ThemeDisplay or even ServiceContext as parameters. We have learned the hard way that in most circumstances this is a very bad idea that leads to bugs and no reusability of the API from a different context. Not only that, but this type of API is really hard to debug and even harder to replace when the problems arise. It's much more efficient to prevent them to begin with.
Because of this, I would like to propose defining some new rules and enforcing them (whenever possible with SourceFormatter). Here are some specific proposals:
- HttpServletRequest: It should not be allowed unless the method is meant to do rendering. The same applies to HttpServletResponse. This should only be allowed in:
- Portlet controllers
- ThemeDisplay: I think we should disallow it completely. This is a context object that is useful for JSPs and theme templates. It should not be used in other contexts.
- ServiceContext: It should not be allowed anywhere except for service methods.
We currently probably have several violations to these rules. Upon looking at them we can decide whether we want to add some additional allowed cases or whether we just need to add the current violations as temporary exclusions