diff --git a/README.md b/README.md index 372e2dc6a..56256fea5 100644 --- a/README.md +++ b/README.md @@ -22,6 +22,7 @@ This package adds functionalities to the Eloquent model and Query builder for Mo - [Extending the base model](#extending-the-base-model) - [Soft Deletes](#soft-deletes) - [Dates](#dates) + - [Guarding attributes](#guarding-attributes) - [Basic Usage](#basic-usage) - [MongoDB-specific operators](#mongodb-specific-operators) - [MongoDB-specific Geo operations](#mongodb-specific-geo-operations) @@ -240,7 +241,7 @@ use Jenssegers\Mongodb\Auth\User as Authenticatable; class User extends Authenticatable { - + } ``` @@ -263,6 +264,13 @@ class User extends Model For more information check [Laravel Docs about Soft Deleting](http://laravel.com/docs/eloquent#soft-deleting). +### Guarding attributes + +When choosing between guarding attributes or marking some as fillable, Taylor Otwell prefers the fillable route. +This is in light of [recent security issues described here](https://blog.laravel.com/security-release-laravel-61835-7240). + +Keep in mind guarding still works, but you may experience unexpected behavior. + ### Dates Eloquent allows you to work with Carbon or DateTime objects instead of MongoDate objects. Internally, these dates will be converted to MongoDate objects when saved to the database. diff --git a/src/Jenssegers/Mongodb/Eloquent/Model.php b/src/Jenssegers/Mongodb/Eloquent/Model.php index 9e1cf9bd7..8aaef55bb 100644 --- a/src/Jenssegers/Mongodb/Eloquent/Model.php +++ b/src/Jenssegers/Mongodb/Eloquent/Model.php @@ -473,6 +473,17 @@ protected function getRelationsWithoutParent() return $relations; } + /** + * Checks if column exists on a table. As this is a document model, just return true. This also + * prevents calls to non-existent function Grammar::compileColumnListing() + * @param string $key + * @return bool + */ + protected function isGuardableColumn($key) + { + return true; + } + /** * @inheritdoc */ diff --git a/src/Jenssegers/Mongodb/Schema/Builder.php b/src/Jenssegers/Mongodb/Schema/Builder.php index c01d12426..dcad10aa9 100644 --- a/src/Jenssegers/Mongodb/Schema/Builder.php +++ b/src/Jenssegers/Mongodb/Schema/Builder.php @@ -7,14 +7,6 @@ class Builder extends \Illuminate\Database\Schema\Builder { - /** - * @inheritdoc - */ - public function __construct(Connection $connection) - { - $this->connection = $connection; - } - /** * @inheritdoc */ diff --git a/tests/ModelTest.php b/tests/ModelTest.php index 6c1edc5a1..2e25a9a58 100644 --- a/tests/ModelTest.php +++ b/tests/ModelTest.php @@ -19,6 +19,7 @@ public function tearDown(): void Soft::truncate(); Book::truncate(); Item::truncate(); + Guarded::truncate(); } public function testNewModel(): void @@ -722,4 +723,27 @@ public function testTruncateModel() $this->assertEquals(0, User::count()); } + + public function testGuardedModel() + { + $model = new Guarded(); + + // foobar is properly guarded + $model->fill(['foobar' => 'ignored', 'name' => 'John Doe']); + $this->assertFalse(isset($model->foobar)); + $this->assertSame('John Doe', $model->name); + + // foobar is guarded to any level + $model->fill(['foobar->level2' => 'v2']); + $this->assertNull($model->getAttribute('foobar->level2')); + + // multi level statement also guarded + $model->fill(['level1->level2' => 'v1']); + $this->assertNull($model->getAttribute('level1->level2')); + + // level1 is still writable + $dataValues = ['array', 'of', 'values']; + $model->fill(['level1' => $dataValues]); + $this->assertEquals($dataValues, $model->getAttribute('level1')); + } } diff --git a/tests/models/Guarded.php b/tests/models/Guarded.php new file mode 100644 index 000000000..8f6b6d58c --- /dev/null +++ b/tests/models/Guarded.php @@ -0,0 +1,11 @@ +level2']; +}