Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

$paginate['contain'] exposes hidden fields #7110

Closed
AndersTrier opened this issue Jul 24, 2015 · 7 comments
Closed

$paginate['contain'] exposes hidden fields #7110

AndersTrier opened this issue Jul 24, 2015 · 7 comments
Assignees
@markstory
Labels
defect need more info pagination
Milestone
3.0.11

Comments

@AndersTrier
Copy link

I have a CompaniesTable.php in my model that contains this association

        $this->belongsTo('CreatedBy', [
            'className' => 'Users',
            'foreignKey' => 'created_by_id'
        ]);

And in User.php entity I have

protected $_hidden = ['password'];

Now, when I in a controller do

$paginate['contain'] = 'CreatedBy'

The hidden fields from the users table are as expected not shown. However if i spell CreatedBy a bit different, like:

$paginate['contain'] = 'createdby'

All fields, including the hidden ones are included in the result.
@lorenzo
Copy link
Member

lorenzo commented Jul 24, 2015

Exposed in what way? $_hidden is only used for json serialization

@lorenzo lorenzo added this to the 3.0.11 milestone Jul 24, 2015
@AndersTrier
Copy link
Author

The response generated by

$this->set('companies', $this->paginate());
$this->set('_serialize', ['companies']);

Includes a "created_by": { "name": "a" ... } where the 'password' field is not shown, if we had set $paginate['contain'] = 'CreatedBy'.

If $paginate['contain'] = 'createdby', the response includes the field "CreatedBy": in which all the hidden fields are also shown.

@AndersTrier AndersTrier reopened this Jul 24, 2015
@GuidoHendriks
Copy link

@lorenzo Doesn't it use the auto-generated model by not using the correct association name which doesn't have hidden data?

@AD7six
Copy link
Member

AD7six commented Jul 24, 2015

The hidden fields from the users table are as expected not shown. if i spell CreatedBy a bit different [] All fields, including the hidden ones are included in the result

Please demonstrate that - i.e. show what's happening and in what way it's not what you expect.

@AndersTrier
Copy link
Author 

    public function index(){
        $this->paginate['contain'] = 'CreatedBy';
        $this->set('companies', $this->paginate());
        $this->set('_serialize', ['companies']);
    }

Returns as expected the following where the hidden fields from the users table are not exposed:

{
    "companies": [
        {
            "id": "1",
            "name": "Company 1 ApS",
            "street_name": "Street 12",
            "created_by_id": "2",
            "contact_person_id": "3",
            "invoice_email": "a@b.com",
            "created": "2015-05-25T20:25:06+0000",
            "created_by": {
                "id": "2",
                "first_name": "First name",
                "last_name": "Last name",
                "created": "2015-02-26T17:07:37+0000"
            }
        }
    ]
}

If i write $this->paginate['contain'] = 'Createdby'; instead, the following is returned. Notice that the field "created_by" is now called "CreatedBy", and the "password" field is included.

{
    "companies": [
        {
            "id": "1",
            "name": "Company 1 ApS",
            "street_name": "Street 12",
            "created_by_id": "2",
            "contact_person_id": "3",
            "invoice_email": "a@b.com",
            "created": "2015-05-25T20:25:06+0000",
            "CreatedBy": {
                "id": "2",
                "first_name": "First name",
                "last_name": "Last name",
                "created": "2015-02-26T17:07:37+0000",
                "password": "$2k$11$swRqe3/JQxksSudhbKzhGR..."
            }
        }
    ]
}

@markstory markstory self-assigned this Jul 27, 2015
@markstory
Copy link
Member

I did some digging on this, and because the alias name does not match the association alias, the data is not mapped into an entity. Instead it is left as an array. This is why the hidden field settings are not applied.

The root cause of this issue is that associations are stored in a case-insenstive way. This was done to catch duplicate association definitions more easily. I think ensuring that the contained associations use their correct aliases might be a way to prevent this issue.

markstory added a commit that referenced this issue Jul 28, 2015
@markstory
Trigger an exception when alias names do not match.
c6eca2f 
Raising an exception in the scenario where a developer mis-types an
association name prevents accidental alias mistakes, and more
importantly prevents data from being returned as an array when it should
be entity instances.

Refs #7110
@markstory markstory mentioned this issue Jul 28, 2015
Merged
@markstory
Copy link
Member

Pull request up now.

@markstory markstory mentioned this issue Mar 14, 2017
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@markstory markstory

Labels
defect need more info pagination
Projects
None yet
Milestone
3.0.11
Development

No branches or pull requests
5 participants
@markstory @AD7six @lorenzo @AndersTrier @GuidoHendriks