Make the primary key not accessible.

Letting the primary key be set through mass assignment can allow some interesting problems when application logic forgets to handle ACLs properly.
cakephp · Mar 18, 2014 · 141e293 · 141e293
1 parent 6dfeeb6
commit 141e293
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 3 deletions.
diff --git a/src/Console/Command/Task/ModelTask.php b/src/Console/Command/Task/ModelTask.php
@@ -363,8 +363,9 @@ public function getFields($model) {
 		}
 		$schema = $model->schema();
 		$columns = $schema->columns();
-		$exclude = ['created', 'modified', 'updated'];
-		return array_diff($columns, $exclude);
+		$primary = $this->getPrimaryKey($model);
+		$exclude = array_merge($primary, ['created', 'modified', 'updated']);
+		return array_values(array_diff($columns, $exclude));
 	}
 
 /**

diff --git a/tests/TestCase/Console/Command/Task/ModelTaskTest.php b/tests/TestCase/Console/Command/Task/ModelTaskTest.php
@@ -295,7 +295,6 @@ public function testGetFields() {
 		$model = TableRegistry::get('BakeArticles');
 		$result = $this->Task->getFields($model);
 		$expected = [
-			'id',
 			'bake_user_id',
 			'title',
 			'body',