cakephp icon indicating copy to clipboard operation
cakephp copied to clipboard

Published 20 hours ago verified publisher icon cakephp

Fix up validation of marshaled data when fields is given.

Open dereuromark opened this issue 6 months ago • 3 comments

One idea on how to solve the issue of https://github.com/cakephp/cakephp/issues/18232

Reasoning: When fields are given, one usually does that for security reasons, so not to allow other fields to be touched (e.g. role_id by injecting that into the post data). Now when that field then gets validated along with it, it undermines the idea behind using the fields config, and as such people stop using it, making the application overall less secure. So it is vital that we only allow patching (and that includes validation) of fields that are in that list if passed along.

Also, if you are not setting those other fields (into the entity), having them in the payload should just ignore them instead of acting on them as well.

That said: It would break existing code, e.g. fields you want to validated but not stored in entity (e.g. checkbox for "accept terms and conditions"). So to keep things safe, the strictFields bool flag would have to be switched on for this behavior.

Alternative names maybe:

  • [ ] validateOnlyFields
  • [ ] validateFieldList

dereuromark avatar Apr 13 '25 18:04 dereuromark