Update mass assignment to be guarded by default.

Having to enable guarding makes apps less secure by default, and forces users to opt into what should be a safe/secure default. Setting properties individually should not be subject to mass-assignment rules as it is probably not mass assignment.
cakephp · Dec 22, 2013 · a8925db · a8925db
1 parent 2990122
commit a8925db
Showing 1 changed file with 24 additions and 19 deletions.
diff --git a/Cake/ORM/Entity.php b/Cake/ORM/Entity.php
@@ -195,31 +195,35 @@ public function __unset($property) {
  *
  * ## Example:
  *
- * {{
- *	$entity->set(['name' => 'andrew', 'id' => 1]);
- *	echo $entity->name // prints andrew
- *	echo $entity->id // prints 1
- * }}
+ * {{{
+ * $entity->set(['name' => 'andrew', 'id' => 1]);
+ * echo $entity->name // prints andrew
+ * echo $entity->id // prints 1
+ * }}}
  *
  * Some times it is handy to bypass setter functions in this entity when assigning
  * properties. You can achieve this by disabling the `setter` option using the
- * `$options` parameter
- *
- * ### Example:
+ * `$options` parameter:
  *
- * ``$entity->set('name', 'Andrew', ['setter' => false]);``
- *
- * ``$entity->set(['name' => 'Andrew', 'id' => 1], ['setter' => false]);``
+ * {{{
+ * $entity->set('name', 'Andrew', ['setter' => false]);
+ * $entity->set(['name' => 'Andrew', 'id' => 1], ['setter' => false]);
+ * }}}
  *
- * Mass assignment should be treated carefully when accepting user input, for this
- * case you can tell this method to only set property that are marked as accessible
- * by setting the `guard` options in the `$options` parameter
+ * Mass assignment should be treated carefully when accepting user input, by default
+ * entities will guard all fields when properties are assigned in bulk. You can disable
+ * the guarding for a single set call with the `guard` option:
  *
- * ### Example:
+ * {{{
+ * $entity->set(['name' => 'Andrew', 'id' => 1], ['guard' => true]);
+ * }}}
  *
- * ``$entity->set('name', 'Andrew', ['guard' => true]);``
+ * You do not need to use the guard option when assigning properties individually:
  *
- * ``$entity->set(['name' => 'Andrew', 'id' => 1], ['guard' => true]);``
+ * {{{
+ * // No need to use the guard option.
+ * $entity->set('name', 'Andrew');
+ * }}}
  *
  * @param string|array $property the name of property to set or a list of
  * properties with their respective values
@@ -231,12 +235,14 @@ public function __unset($property) {
  */
 	public function set($property, $value = null, $options = []) {
 		if (is_string($property)) {
+			$guard = false;
 			$property = [$property => $value];
 		} else {
+			$guard = true;
 			$options = (array)$value;
 		}
 
-		$options += ['setter' => true, 'guard' => false];
+		$options += ['setter' => true, 'guard' => $guard];
 
 		foreach ($property as $p => $value) {
 			if ($options['guard'] === true && !$this->accessible($p)) {
@@ -263,7 +269,6 @@ public function set($property, $value = null, $options = []) {
 			}
 			$this->_properties[$p] = $value;
 		}
-
 		return $this;
 	}