Skip to content
Permalink
Browse files

Marshaller should do mass assignment.

Setting properties one at a time bypasses the mass assignment
protection. Since Marshaller is intended to handle convert user request
data into entities, it should apply mass assignment protection rules.
  • Loading branch information...
markstory committed Dec 22, 2013
1 parent bc8f1ce commit 11e3a8aacc2afbf6241c50dc74e9bb10c35112df
Showing with 50 additions and 1 deletion.
  1. +3 −1 Cake/ORM/Marshaller.php
  2. +47 −0 Cake/Test/TestCase/ORM/MarshallerTest.php
@@ -95,6 +95,7 @@ public function one(array $data, $include = []) {
$data = $data[$tableName];
}
$properties = [];
foreach ($data as $key => $value) {
$assoc = null;
$nested = [];
@@ -105,8 +106,9 @@ public function one(array $data, $include = []) {
if ($assoc) {
$value = $this->_marshalAssociation($assoc, $value, $nested);
}
$entity->set($key, $value);
$properties[$key] = $value;
}
$entity->set($properties);
return $entity;
}
@@ -14,11 +14,32 @@
*/
namespace Cake\Test\TestCase\ORM;
use Cake\ORM\Entity;
use Cake\ORM\Marshaller;
use Cake\ORM\Table;
use Cake\ORM\TableRegistry;
use Cake\TestSuite\TestCase;
/**
* Test entity for mass assignment.
*/
class OpenEntity extends Entity {
protected $_accessible = [
'*' => true,
];
}
/**
* Test entity for mass assignment.
*/
class ProtectedArticle extends Entity {
protected $_accessible = [
'title' => true,
'body' => true
];
}
/**
* Marshaller test case
*/
@@ -38,9 +59,14 @@ public function setUp() {
$articles->hasMany('Comments');
$comments = TableRegistry::get('Comments');
$users = TableRegistry::get('Users');
$comments->belongsTo('Articles');
$comments->belongsTo('Users');
$articles->entityClass(__NAMESPACE__ . '\OpenEntity');
$comments->entityClass(__NAMESPACE__ . '\OpenEntity');
$users->entityClass(__NAMESPACE__ . '\OpenEntity');
$this->articles = $articles;
$this->comments = $comments;
}
@@ -77,6 +103,27 @@ public function testOneSimple() {
$this->assertNull($result->isNew(), 'Should be detached');
}
/**
* Test one() follows mass-assignment rules.
*
* @return void
*/
public function testOneAccessibleProperties() {
$data = [
'title' => 'My title',
'body' => 'My content',
'author_id' => 1,
'not_in_schema' => true
];
$this->articles->entityClass(__NAMESPACE__ . '\ProtectedArticle');
$marshall = new Marshaller($this->articles);
$result = $marshall->one($data, []);
$this->assertInstanceOf(__NAMESPACE__ . '\ProtectedArticle', $result);
$this->assertNull($result->author_id);
$this->assertNull($result->not_in_schema);
}
/**
* test one() with a wrapping model name.
*

0 comments on commit 11e3a8a

Please sign in to comment.
You can’t perform that action at this time.