Skip to content
Permalink
Browse files

Merge prefixed data in instead of overwriting.

By merging we can retain any top level data that the developer added
before marshalling happened. This helps prevent scenarios where a bad
person adds prefixed data to a payload to circumvent manually assigned
data before marshalling.
  • Loading branch information...
markstory committed May 24, 2016
1 parent 625a9b4 commit cda4d8683f537f2947bc60c0d6173332224f6e97
Showing with 5 additions and 2 deletions.
  1. +2 −1 src/ORM/Marshaller.php
  2. +3 −1 tests/TestCase/ORM/MarshallerTest.php
@@ -216,7 +216,8 @@ protected function _prepareDataAndOptions($data, $options)
$tableName = $this->_table->alias();
if (isset($data[$tableName])) {
$data = $data[$tableName];
$data += $data[$tableName];
unset($data[$tableName]);
}
$data = new ArrayObject($data);
@@ -360,6 +360,7 @@ public function testOneAccessibleFieldsOptionForAssociations()
public function testOneWithAdditionalName()
{
$data = [
'title' => 'Original Title',
'Articles' => [
'title' => 'My title',
'body' => 'My content',
@@ -376,7 +377,8 @@ public function testOneWithAdditionalName()
$this->assertInstanceOf('Cake\ORM\Entity', $result);
$this->assertTrue($result->dirty(), 'Should be a dirty entity.');
$this->assertTrue($result->isNew(), 'Should be new');
$this->assertEquals($data['Articles']['title'], $result->title);
$this->assertFalse($result->has('Articles'), 'No prefixed field.');
$this->assertEquals($data['title'], $result->title, 'Data from prefix should be merged.');
$this->assertEquals($data['Articles']['user']['username'], $result->user->username);
}

0 comments on commit cda4d86

Please sign in to comment.
You can’t perform that action at this time.