Marshaller should do mass assignment.

Setting properties one at a time bypasses the mass assignment protection. Since Marshaller is intended to handle convert user request data into entities, it should apply mass assignment protection rules.
cakephp · Dec 22, 2013 · 11e3a8a · 11e3a8a
1 parent bc8f1ce
commit 11e3a8a
Show file tree

Hide file tree

Showing 2 changed files with 50 additions and 1 deletion.
diff --git a/Cake/ORM/Marshaller.php b/Cake/ORM/Marshaller.php
@@ -95,6 +95,7 @@ public function one(array $data, $include = []) {
 			$data = $data[$tableName];
 		}
 
+		$properties = [];
 		foreach ($data as $key => $value) {
 			$assoc = null;
 			$nested = [];
@@ -105,8 +106,9 @@ public function one(array $data, $include = []) {
 			if ($assoc) {
 				$value = $this->_marshalAssociation($assoc, $value, $nested);
 			}
-			$entity->set($key, $value);
+			$properties[$key] = $value;
 		}
+		$entity->set($properties);
 		return $entity;
 	}
 

diff --git a/Cake/Test/TestCase/ORM/MarshallerTest.php b/Cake/Test/TestCase/ORM/MarshallerTest.php
@@ -14,11 +14,32 @@
  */
 namespace Cake\Test\TestCase\ORM;
 
+use Cake\ORM\Entity;
 use Cake\ORM\Marshaller;
 use Cake\ORM\Table;
 use Cake\ORM\TableRegistry;
 use Cake\TestSuite\TestCase;
 
+
+/**
+ * Test entity for mass assignment.
+ */
+class OpenEntity extends Entity {
+	protected $_accessible = [
+		'*' => true,
+	];
+}
+
+/**
+ * Test entity for mass assignment.
+ */
+class ProtectedArticle extends Entity {
+	protected $_accessible = [
+		'title' => true,
+		'body' => true
+	];
+}
+
 /**
  * Marshaller test case
  */
@@ -38,9 +59,14 @@ public function setUp() {
 		$articles->hasMany('Comments');
 
 		$comments = TableRegistry::get('Comments');
+		$users = TableRegistry::get('Users');
 		$comments->belongsTo('Articles');
 		$comments->belongsTo('Users');
 
+		$articles->entityClass(__NAMESPACE__ . '\OpenEntity');
+		$comments->entityClass(__NAMESPACE__ . '\OpenEntity');
+		$users->entityClass(__NAMESPACE__ . '\OpenEntity');
+
 		$this->articles = $articles;
 		$this->comments = $comments;
 	}
@@ -77,6 +103,27 @@ public function testOneSimple() {
 		$this->assertNull($result->isNew(), 'Should be detached');
 	}
 
+/**
+ * Test one() follows mass-assignment rules.
+ *
+ * @return void
+ */
+	public function testOneAccessibleProperties() {
+		$data = [
+			'title' => 'My title',
+			'body' => 'My content',
+			'author_id' => 1,
+			'not_in_schema' => true
+		];
+		$this->articles->entityClass(__NAMESPACE__ . '\ProtectedArticle');
+		$marshall = new Marshaller($this->articles);
+		$result = $marshall->one($data, []);
+
+		$this->assertInstanceOf(__NAMESPACE__ . '\ProtectedArticle', $result);
+		$this->assertNull($result->author_id);
+		$this->assertNull($result->not_in_schema);
+	}
+
 /**
  * test one() with a wrapping model name.
  *