Merge pull request mongodb#2082 from fish3046/issue-2078

Smolevich · web-flow · commit 828e7513f0ee · 2020-08-20T21:38:24.000+03:00
[3.x] Fix guarded to return always true
diff --git a/README.md b/README.md
@@ -22,6 +22,7 @@ This package adds functionalities to the Eloquent model and Query builder for Mo
     - [Extending the base model](#extending-the-base-model)
     - [Soft Deletes](#soft-deletes)
     - [Dates](#dates)
+    - [Guarding attributes](#guarding-attributes)
     - [Basic Usage](#basic-usage)
     - [MongoDB-specific operators](#mongodb-specific-operators)
     - [MongoDB-specific Geo operations](#mongodb-specific-geo-operations)
@@ -240,7 +241,7 @@ use Jenssegers\Mongodb\Auth\User as Authenticatable;
 
 class User extends Authenticatable
 {
-    
+
 }
 ```
 
@@ -263,6 +264,13 @@ class User extends Model
 
 For more information check [Laravel Docs about Soft Deleting](http://laravel.com/docs/eloquent#soft-deleting).
 
+### Guarding attributes
+
+When choosing between guarding attributes or marking some as fillable, Taylor Otwell prefers the fillable route.
+This is in light of [recent security issues described here](https://blog.laravel.com/security-release-laravel-61835-7240).
+
+Keep in mind guarding still works, but you may experience unexpected behavior.
+
 ### Dates
 
 Eloquent allows you to work with Carbon or DateTime objects instead of MongoDate objects. Internally, these dates will be converted to MongoDate objects when saved to the database.
diff --git a/src/Jenssegers/Mongodb/Eloquent/Model.php b/src/Jenssegers/Mongodb/Eloquent/Model.php
@@ -473,6 +473,17 @@ protected function getRelationsWithoutParent()
         return $relations;
     }
 
+    /**
+     * Checks if column exists on a table.  As this is a document model, just return true.  This also
+     * prevents calls to non-existent function Grammar::compileColumnListing()
+     * @param string $key
+     * @return bool
+     */
+    protected function isGuardableColumn($key)
+    {
+        return true;
+    }
+
     /**
      * @inheritdoc
      */
diff --git a/src/Jenssegers/Mongodb/Schema/Builder.php b/src/Jenssegers/Mongodb/Schema/Builder.php
@@ -7,14 +7,6 @@
 
 class Builder extends \Illuminate\Database\Schema\Builder
 {
-    /**
-     * @inheritdoc
-     */
-    public function __construct(Connection $connection)
-    {
-        $this->connection = $connection;
-    }
-
     /**
      * @inheritdoc
      */
diff --git a/tests/ModelTest.php b/tests/ModelTest.php
@@ -19,6 +19,7 @@ public function tearDown(): void
         Soft::truncate();
         Book::truncate();
         Item::truncate();
+        Guarded::truncate();
     }
 
     public function testNewModel(): void
@@ -722,4 +723,27 @@ public function testTruncateModel()
 
         $this->assertEquals(0, User::count());
     }
+
+    public function testGuardedModel()
+    {
+        $model = new Guarded();
+
+        // foobar is properly guarded
+        $model->fill(['foobar' => 'ignored', 'name' => 'John Doe']);
+        $this->assertFalse(isset($model->foobar));
+        $this->assertSame('John Doe', $model->name);
+
+        // foobar is guarded to any level
+        $model->fill(['foobar->level2' => 'v2']);
+        $this->assertNull($model->getAttribute('foobar->level2'));
+
+        // multi level statement also guarded
+        $model->fill(['level1->level2' => 'v1']);
+        $this->assertNull($model->getAttribute('level1->level2'));
+
+        // level1 is still writable
+        $dataValues = ['array', 'of', 'values'];
+        $model->fill(['level1' => $dataValues]);
+        $this->assertEquals($dataValues, $model->getAttribute('level1'));
+    }
 }
diff --git a/tests/models/Guarded.php b/tests/models/Guarded.php
@@ -0,0 +1,11 @@
+<?php
+declare(strict_types=1);
+
+use Jenssegers\Mongodb\Eloquent\Model as Eloquent;
+
+class Guarded extends Eloquent
+{
+    protected $connection = 'mongodb';
+    protected $collection = 'guarded';
+    protected $guarded = ['foobar', 'level1->level2'];
+}
