Skip to main content

Never open up access to code protected by ACCESSIBLE BY?

In my Oracle Magazine article, When Packages Need to Lose Weight, I step through the process of breaking up a large package body into "sub" packages whose access is restricted through use of the new-to- Oracle Database 12c ACCESSIBLE BY feature.

The idea, to sum it all up, is that once I move code from my original too-large-to-manage package body to another package, the header moves to the spec of that package. This means that formerly-private functionality is now accessible to anyone with execute authority on that package.

For that reason, I stated:
The body of em_central shrinks to a fraction of its former self, because the body of each procedure is simply a redirect into the em_central_a and em_central_b packages. The subprograms in these packages should be invoked only by em_central.
A reader contacted me with this question:
For me this means that newly written subprograms should not invoke the new packages em_central_a and em_central_b directly. So the ACCESSIBLE BY clause could be applied to these packages as well.  For a colleague of mine, this is carrying things too far. He thinks you see no problem if newly written code accesses the packages em_central_a and em_central_b directly. If you agree to the opinion of my colleague, the cited excerpt from the article should be revised. 
Revise what I wrote? Accept that I was wrong? What is Arne thinking?

He is thinking that I am arational human being. And I deeply appreciate that. In fact, I have no (minimal, anyway) problem admitting I am wrong and fixing what I have written. I do that a lot. :-)

But I think in this case I will fight the good fight and provide a more thorough explanation.

First, Arne, regarding use of ACCESSIBLE BY with "these packages as well." I think that you must be referring to the packages containing the new subprograms that want to use em_central_a or _b? If so, yes, you can certainly expand the list of program units in ACCESSIBLE BY, which brings me to my main point:

The default position you should take regarding previously private code that was made "public" solely to help re-org your chubby packages is:

Don't let anyone/any other program access that code.

Which is what I am saying in that quote. Why? Well, because it wasn't designed for use anywhere else. It wasn't tested for use outside of the current execution path. I do think it is extremely important that the original intention of the original developer be respected until you find a good reason to change it.

Otherwise you are asking for trouble - unless that code is so transparent, so well-written and comes with an automated unit testing script that it can understood and used in a variety of ways with confidence.

Please think about this: how many packages have you written or seen from others for which this is true?

Which brings me to my final point:

Everything changes, and code reuse is critical to overall maintainability of code.

By which I mean: when you first break up the package and create pseudo-private packages for the previously private code, you should tightly restrict usage. But suppose a developer comes along, sees those inaccessible subprograms, investigates and decides: "Wow, I could really use that functionality!"

Am I suggesting you tell them to get lost? No, of course not! At that point, you:

  • do some analysis, verify that there really is a good fit;
  • sort out what would need to change in the existing restricted subprogram to be used elsewhere;
  • ensure that these changes would not affect the original use 
  • make the changes and test them
  • add the new package "user" to the ACCESSIBLE BY clause
So, sure, "no problem" - expand access to that now-possibly-usable code, but do with it intention and careful decision-making. 

Should I revise my article? After all, it's not so "black and white", is it? Well....I don't think I need to do that. After all, I don't say:

NEVER EVER USE THAT CODE ELSEWHERE OR YOU ARE AN IDIOT. [I do NOT say this!]

I say: "The subprograms in these packages should be invoked only by em_central."


For any and every programming feature you ever encounter, there will always be nuances. I'd rather use my articles to make developers aware of what is possible with new features, and the major motivations behind these features.

Good, clever, practical programmers will discover exceptions, interesting new ways to apply a feature, all the time. It's what we do. And my statement includes an implicit admission of that reality.

Comments

Popular posts from this blog

Quick Guide to User-Defined Types in Oracle PL/SQL

A Twitter follower recently asked for more information on user-defined types in the PL/SQL language, and I figured the best way to answer is to offer up this blog post. PL/SQL is a strongly-typed language . Before you can work with a variable or constant, it must be declared with a type (yes, PL/SQL also supports lots of implicit conversions from one type to another, but still, everything must be declared with a type). PL/SQL offers a wide array of pre-defined data types , both in the language natively (such as VARCHAR2, PLS_INTEGER, BOOLEAN, etc.) and in a variety of supplied packages (e.g., the NUMBER_TABLE collection type in the DBMS_SQL package). Data types in PL/SQL can be scalars, such as strings and numbers, or composite (consisting of one or more scalars), such as record types, collection types and object types. You can't really declare your own "user-defined" scalars, though you can define subtypes  from those scalars, which can be very helpful from the p

The differences between deterministic and result cache features

 EVERY once in a while, a developer gets in touch with a question like this: I am confused about the exact difference between deterministic and result_cache. Do they have different application use cases? I have used deterministic feature in many functions which retrieve data from some lookup tables. Is it essential to replace these 'deterministic' key words with 'result_cache'?  So I thought I'd write a post about the differences between these two features. But first, let's make sure we all understand what it means for a function to be  deterministic. From Wikipedia : In computer science, a deterministic algorithm is an algorithm which, given a particular input, will always produce the same output, with the underlying machine always passing through the same sequence of states.  Another way of putting this is that a deterministic subprogram (procedure or function) has no side-effects. If you pass a certain set of arguments for the parameters, you will always get

My two favorite APEX 5 features: Regional Display Selector and Cards

We (the over-sized development team for the PL/SQL Challenge - myself and my son, Eli) have been busy creating a new website on top of the PLCH platform (tables and packages): The Oracle Dev Gym! In a few short months (and just a part time involvement by yours truly), we have leveraged Oracle Application Express 5 to create what I think is an elegant, easy-to-use site that our users will absolutely love.  We plan to initially make the Dev Gym available only for current users of PL/SQL Challenge, so we can get feedback from our loyal user base. We will make the necessary adjustments and then offer it for general availability later this year. Anyway, more on that as the date approaches (the date being June 27, the APEX Open Mic Night at Kscope16 , where I will present it to a packed room of APEX experts). What I want to talk about today are two features of APEX that are making me so happy these days: Regional Display Selector and Cards. Regional Display Sel