Skip to content
Permalink
Browse files

Update mass assignment to be guarded by default.

Having to enable guarding makes apps less secure by default, and forces
users to opt into what should be a safe/secure default.

Setting properties individually should not be subject to mass-assignment
rules as it is probably not mass assignment.
  • Loading branch information...
markstory committed Dec 22, 2013
1 parent 2990122 commit a8925db5daa892f87bab5af310ed14ef9d408642
Showing with 24 additions and 19 deletions.
  1. +24 −19 Cake/ORM/Entity.php
@@ -195,31 +195,35 @@ public function __unset($property) {
*
* ## Example:
*
* {{
* $entity->set(['name' => 'andrew', 'id' => 1]);
* echo $entity->name // prints andrew
* echo $entity->id // prints 1
* }}
* {{{
* $entity->set(['name' => 'andrew', 'id' => 1]);
* echo $entity->name // prints andrew
* echo $entity->id // prints 1
* }}}
*
* Some times it is handy to bypass setter functions in this entity when assigning
* properties. You can achieve this by disabling the `setter` option using the
* `$options` parameter
*
* ### Example:
* `$options` parameter:
*
* ``$entity->set('name', 'Andrew', ['setter' => false]);``
*
* ``$entity->set(['name' => 'Andrew', 'id' => 1], ['setter' => false]);``
* {{{
* $entity->set('name', 'Andrew', ['setter' => false]);
* $entity->set(['name' => 'Andrew', 'id' => 1], ['setter' => false]);
* }}}
*
* Mass assignment should be treated carefully when accepting user input, for this
* case you can tell this method to only set property that are marked as accessible
* by setting the `guard` options in the `$options` parameter
* Mass assignment should be treated carefully when accepting user input, by default
* entities will guard all fields when properties are assigned in bulk. You can disable
* the guarding for a single set call with the `guard` option:
*
* ### Example:
* {{{
* $entity->set(['name' => 'Andrew', 'id' => 1], ['guard' => true]);
* }}}
*
* ``$entity->set('name', 'Andrew', ['guard' => true]);``
* You do not need to use the guard option when assigning properties individually:
*
* ``$entity->set(['name' => 'Andrew', 'id' => 1], ['guard' => true]);``
* {{{
* // No need to use the guard option.
* $entity->set('name', 'Andrew');
* }}}
*
* @param string|array $property the name of property to set or a list of
* properties with their respective values
@@ -231,12 +235,14 @@ public function __unset($property) {
*/
public function set($property, $value = null, $options = []) {
if (is_string($property)) {
$guard = false;
$property = [$property => $value];
} else {
$guard = true;
$options = (array)$value;
}
$options += ['setter' => true, 'guard' => false];
$options += ['setter' => true, 'guard' => $guard];
foreach ($property as $p => $value) {
if ($options['guard'] === true && !$this->accessible($p)) {
@@ -263,7 +269,6 @@ public function set($property, $value = null, $options = []) {
}
$this->_properties[$p] = $value;
}
return $this;
}

0 comments on commit a8925db

Please sign in to comment.
You can’t perform that action at this time.