Marshaller should do mass assignment.

markstory · markstory · commit 11e3a8aacc2a · 2013-12-22T12:39:31.000-05:00
Setting properties one at a time bypasses the mass assignment
protection. Since Marshaller is intended to handle convert user request
data into entities, it should apply mass assignment protection rules.
diff --git a/Cake/ORM/Marshaller.php b/Cake/ORM/Marshaller.php
@@ -95,6 +95,7 @@ public function one(array $data, $include = []) {
 			$data = $data[$tableName];
 		}
 
+		$properties = [];
 		foreach ($data as $key => $value) {
 			$assoc = null;
 			$nested = [];
@@ -105,8 +106,9 @@ public function one(array $data, $include = []) {
 			if ($assoc) {
 				$value = $this->_marshalAssociation($assoc, $value, $nested);
 			}
-			$entity->set($key, $value);
+			$properties[$key] = $value;
 		}
+		$entity->set($properties);
 		return $entity;
 	}
 
diff --git a/Cake/Test/TestCase/ORM/MarshallerTest.php b/Cake/Test/TestCase/ORM/MarshallerTest.php
@@ -14,11 +14,32 @@
  */
 namespace Cake\Test\TestCase\ORM;
 
+use Cake\ORM\Entity;
 use Cake\ORM\Marshaller;
 use Cake\ORM\Table;
 use Cake\ORM\TableRegistry;
 use Cake\TestSuite\TestCase;
 
+
+/**
+ * Test entity for mass assignment.
+ */
+class OpenEntity extends Entity {
+	protected $_accessible = [
+		'*' => true,
+	];
+}
+
+/**
+ * Test entity for mass assignment.
+ */
+class ProtectedArticle extends Entity {
+	protected $_accessible = [
+		'title' => true,
+		'body' => true
+	];
+}
+
 /**
  * Marshaller test case
  */
@@ -38,9 +59,14 @@ public function setUp() {
 		$articles->hasMany('Comments');
 
 		$comments = TableRegistry::get('Comments');
+		$users = TableRegistry::get('Users');
 		$comments->belongsTo('Articles');
 		$comments->belongsTo('Users');
 
+		$articles->entityClass(__NAMESPACE__ . '\OpenEntity');
+		$comments->entityClass(__NAMESPACE__ . '\OpenEntity');
+		$users->entityClass(__NAMESPACE__ . '\OpenEntity');
+
 		$this->articles = $articles;
 		$this->comments = $comments;
 	}
@@ -77,6 +103,27 @@ public function testOneSimple() {
 		$this->assertNull($result->isNew(), 'Should be detached');
 	}
 
+/**
+ * Test one() follows mass-assignment rules.
+ *
+ * @return void
+ */
+	public function testOneAccessibleProperties() {
+		$data = [
+			'title' => 'My title',
+			'body' => 'My content',
+			'author_id' => 1,
+			'not_in_schema' => true
+		];
+		$this->articles->entityClass(__NAMESPACE__ . '\ProtectedArticle');
+		$marshall = new Marshaller($this->articles);
+		$result = $marshall->one($data, []);
+
+		$this->assertInstanceOf(__NAMESPACE__ . '\ProtectedArticle', $result);
+		$this->assertNull($result->author_id);
+		$this->assertNull($result->not_in_schema);
+	}
+
 /**
  * test one() with a wrapping model name.
  *

Original file line number	Diff line number	Diff line change
`@@ -95,6 +95,7 @@ public function one(array $data, $include = []) {`
`95`	`95`	`$data = $data[$tableName];`
`96`	`96`	`}`
`97`	`97`
	`98`	`+ $properties = [];`
`98`	`99`	`foreach ($data as $key => $value) {`
`99`	`100`	`$assoc = null;`
`100`	`101`	`$nested = [];`
`@@ -105,8 +106,9 @@ public function one(array $data, $include = []) {`
`105`	`106`	`if ($assoc) {`
`106`	`107`	`$value = $this->_marshalAssociation($assoc, $value, $nested);`
`107`	`108`	`}`
`108`		`- $entity->set($key, $value);`
	`109`	`+ $properties[$key] = $value;`
`109`	`110`	`}`
	`111`	`+ $entity->set($properties);`
`110`	`112`	`return $entity;`
`111`	`113`	`}`
`112`	`114`