Closed manelj closed 6 years ago
I think it's a bad idea to just pass the userdata to the object without any checks. A more defensive approach would be to explicitly define what keys can be set (along with some validation probably). Could be quite simple:
$body = $request->getParsedBody();
$allowedKeys = ['title', 'content'];
foreach (array_keys($body) as $key) {
if (!in_array($key, $allowedKeys)) {
unset($body[$key]);
}
}
You can do what @willemwollebrants recommended or you can define rules using the integrated Event Emitters. Put something like this in the Entity definition:
// untested code
public static function events(EventEmitter $eventEmitter)
{
$eventEmitter->on('beforeSave', function (Entity $entity, Mapper $mapper) {
$oldUUID = $entity->dataUnmodified('tar_uuid');
$newUUID = $entity->tar_uuid;
if ($oldUUID !== null) {
$entity->tar_uuid = $oldUUID;
}
});
}
This way the user cannot change the tar_uuid after it was first set.
Or ... :) you can define a setter for the fields in your Entity class, something like:
public function setTarUuid($value){
if (is_null($this->tar_uuid){
this->tar_uuid = $value;
}
}
The upside here is that you don't have to wait for the beforeSave event. The tar_uuid becomes fixed after it was first set, whether or not or not the object has been saved.
Getters/setters are not that well documented, but the rules are pretty simple. If there's a function called set + the camel case version of the variable name, it will be called when you set the value for this variable (even if you use the data() method)
Closing this issue, because of the inactivity. Feel free to reopen this if you have more questions regarding this subject.
Is the any solution to load data into entity excluding the fields that you don't allow to be overwritten? ` $body = $request->getParsedBody();
$tarea->clear();
$tarea->data($body);
$resultadoSave = $this->container["spot"]->mapper("App\Modelos\Tarea")->save($tarea);
` After this code, i don't want that fields 'tar_id' and 'tar_uuid' can be overwritten if user has send it via json post method.