Fix guarded to return always true

Fix for laravel/framework#33858

Co-Authored-By: Karl Pierce <[email protected]>

Author: divine

Diff for: README.md

@@ -11,6 +11,7 @@ Table of contents
 * [Upgrading](#upgrading)
 * [Configuration](#configuration)
 * [Eloquent](#eloquent)
+* [Guarding attributes](#guarding-attributes)
 * [Optional: Alias](#optional-alias)
 * [Query Builder](#query-builder)
 * [Schema](#schema)
@@ -41,6 +42,7 @@ composer require jenssegers/mongodb
  5.2.x    | 2.3.x or 3.0.x
  5.3.x    | 3.1.x or 3.2.x
  5.4.x    | 3.2.x
+ 5.5.x    | 3.3.x
 
 And add the service provider in `config/app.php`:
 
@@ -192,6 +194,13 @@ class MyModel extends Eloquent {
 
 Everything else (should) work just like the original Eloquent model. Read more about the Eloquent on http://laravel.com/docs/eloquent
 
+### Guarding attributes
+
+When choosing between guarding attributes or marking some as fillable, Taylor Otwell prefers the fillable route.
+This is in light of [recent security issues described here](https://blog.laravel.com/security-release-laravel-61835-7240).
+
+Keep in mind guarding still works, but you may experience unexpected behavior.
+
 ### Optional: Alias
 
 You may also register an alias for the MongoDB model by adding the following to the alias array in `config/app.php`:

Diff for: src/Jenssegers/Mongodb/Eloquent/Model.php

@@ -420,6 +420,17 @@ protected function removeTableFromKey($key)
         return $key;
     }
 
+    /**
+     * Checks if column exists on a table.  As this is a document model, just return true.  This also
+     * prevents calls to non-existent function Grammar::compileColumnListing()
+     * @param string $key
+     * @return bool
+     */
+    protected function isGuardableColumn($key)
+    {
+        return true;
+    }
+
     /**
      * @inheritdoc
      */

Diff for: src/Jenssegers/Mongodb/Schema/Builder.php

@@ -7,14 +7,6 @@
 
 class Builder extends \Illuminate\Database\Schema\Builder
 {
-    /**
-     * @inheritdoc
-     */
-    public function __construct(Connection $connection)
-    {
-        $this->connection = $connection;
-    }
-
     /**
      * @inheritdoc
      */

Diff for: tests/ModelTest.php

@@ -14,6 +14,7 @@ public function tearDown()
         Soft::truncate();
         Book::truncate();
         Item::truncate();
+        Guarded::truncate();
     }
 
     public function testNewModel()
@@ -548,4 +549,27 @@ public function testChunkById()
 
         $this->assertEquals(3, $count);
     }
+
+    public function testGuardedModel()
+    {
+        $model = new Guarded();
+
+        // foobar is properly guarded
+        $model->fill(['foobar' => 'ignored', 'name' => 'John Doe']);
+        $this->assertFalse(isset($model->foobar));
+        $this->assertSame('John Doe', $model->name);
+
+        // foobar is guarded to any level
+        $model->fill(['foobar->level2' => 'v2']);
+        $this->assertNull($model->getAttribute('foobar->level2'));
+
+        // multi level statement also guarded
+        $model->fill(['level1->level2' => 'v1']);
+        $this->assertNull($model->getAttribute('level1->level2'));
+
+        // level1 is still writable
+        $dataValues = ['array', 'of', 'values'];
+        $model->fill(['level1' => $dataValues]);
+        $this->assertEquals($dataValues, $model->getAttribute('level1'));
+    }
 }

Diff for: tests/models/Guarded.php

@@ -0,0 +1,11 @@
+<?php
+declare(strict_types=1);
+
+use Jenssegers\Mongodb\Eloquent\Model as Eloquent;
+
+class Guarded extends Eloquent
+{
+    protected $connection = 'mongodb';
+    protected $collection = 'guarded';
+    protected $guarded = ['foobar', 'level1->level2'];
+}