block json mass assignment

laravel · Aug 6, 2020 · 624d873 · 624d873
1 parent 5dfafef
commit 624d873
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 0 deletions.
diff --git a/src/Illuminate/Database/Eloquent/Concerns/GuardsAttributes.php b/src/Illuminate/Database/Eloquent/Concerns/GuardsAttributes.php
@@ -163,6 +163,10 @@ public function isFillable($key)
      */
     public function isGuarded($key)
     {
+        if (strpos($key, '->')) {
+            $key = Str::before($key, '->');
+        }
+
         return $this->getGuarded() == ['*'] || ! empty(preg_grep('/^'.preg_quote($key).'$/i', $this->getGuarded()));
     }
 

diff --git a/tests/Integration/Database/EloquentModelTest.php b/tests/Integration/Database/EloquentModelTest.php
@@ -38,6 +38,15 @@ public function testCantUpdateGuardedAttributesUsingDifferentCasing()
         $this->assertNull($model->ID);
     }
 
+    public function testCantUpdateGuardedAttributeUsingJson()
+    {
+        $model = new TestModel2;
+
+        $model->fill(['id->foo' => 123]);
+
+        $this->assertNull($model->id);
+    }
+
     public function testUserCanUpdateNullableDate()
     {
         $user = TestModel1::create([