block json mass assignment

taylorotwell · taylorotwell · commit 624d87373338 · 2020-08-06T08:19:02.000-05:00
diff --git a/src/Illuminate/Database/Eloquent/Concerns/GuardsAttributes.php b/src/Illuminate/Database/Eloquent/Concerns/GuardsAttributes.php
@@ -163,6 +163,10 @@ public function isFillable($key)
      */
     public function isGuarded($key)
     {
+        if (strpos($key, '->')) {
+            $key = Str::before($key, '->');
+        }
+
         return $this->getGuarded() == ['*'] || ! empty(preg_grep('/^'.preg_quote($key).'$/i', $this->getGuarded()));
     }
 
diff --git a/tests/Integration/Database/EloquentModelTest.php b/tests/Integration/Database/EloquentModelTest.php
@@ -38,6 +38,15 @@ public function testCantUpdateGuardedAttributesUsingDifferentCasing()
         $this->assertNull($model->ID);
     }
 
+    public function testCantUpdateGuardedAttributeUsingJson()
+    {
+        $model = new TestModel2;
+
+        $model->fill(['id->foo' => 123]);
+
+        $this->assertNull($model->id);
+    }
+
     public function testUserCanUpdateNullableDate()
     {
         $user = TestModel1::create([

Original file line number	Diff line number	Diff line change
`@@ -163,6 +163,10 @@ public function isFillable($key)`
`163`	`163`	`*/`
`164`	`164`	`public function isGuarded($key)`
`165`	`165`	`{`
	`166`	`+ if (strpos($key, '->')) {`
	`167`	`+ $key = Str::before($key, '->');`
	`168`	`+ }`
	`169`	`+`
`166`	`170`	`return $this->getGuarded() == ['*'] \|\| ! empty(preg_grep('/^'.preg_quote($key).'$/i', $this->getGuarded()));`
`167`	`171`	`}`
`168`	`172`