Mark Story

> There doesn't seem to be tests specifically for configRequest, despite it clearly being covered via its use within tests. I'm ok with the implicit testing. If the sample controller...

I am not a fan of including localhost. While useful for development it creates opportunity for serverside request forgery to other services on non-public networks. Why do you need localhost...

> I don't think the validator is the correct place to protect against serverside request forgery, as it only checks the syntax and doesn't know which URLs should/shouldn't be accessible....

> An additional key on the association configuration methods like belongsTo() or hasMany() that would allow the developer to say "always load this when I pull the main entity, and...

A potential way you can help improve your type safety and find and diagnose loading errors is to make them fatal errors. If you make your relation attributes nullable, I...

> This is pretty much the solution we're using now, although more as a service layer than an ORM wrapper. It make me wonder, as a 10+ year Cake user,...

> Technically this would need to go into 6.x, as the signature change is not backwards compatible. Why isn't it though? All call sites that were valid before are still...

I've added a test, and I'm not sure I understand the workflow this change would enable. Any examples you could share?

Given that most folks interact with mass-assignment via the ORM methods, what about `patchable`?

I think expanding the feature set of `Hash` to handle objects that use a property based protocol is a good idea. The intention for `Hash` is to be a higher...