Conversation
This change avoids having to update the accessible list when new fields are added to table.
|
Make me sad making the security feature less obvious |
|
@lorenzo Life is full of compromises 😄 |
|
😢 At least people who need more secure apps have better tools at their disposal. |
Only set primary key fields as non-accessible.
|
👎 I'd rather have security by default than ease of use for "newbies". |
|
+1 to @GuidoHendriks 😄 |
|
@GuidoHendriks @Spriz I am not particularly thrilled by this change either but keeping things simpler for newbies is also important as initial impressions matter. You can use custom bake template to get earlier behavior. |
|
Maybe we should add a note to the docblock? |
|
@bcrowe Sounds good, can you please make a PR with appropriate text? |
|
The |
|
I would expect |
|
@markstory You mean added to what is currently being generated (the |
|
Well if there is an explicit lust of fields from the user only those fields should be marked accessible. |
|
OK, that's what I was suggesting too, I misunderstood you then. I'll try to implement this before I continue with the entity property hints. |
|
Maybe instead mass assigning to a field that is not accessible could throw a warning on debug true? |
This was removed in #134 to make adding new fields to the database easier for new developers. This created a tradeoff with more secure defaults. I'd like to re-add more secure defaults alongside warning log messages in the marshaller during debug mode to help new developers.
8 participants
This change avoids having to update the accessible list when new fields are added to table.
This avoids some hair pulling for new users who don't realize the entity also needs to be updated if they change table fields. I have seen newbies often struggle to figure out why their new fields are not getting saved. e.g. http://stackoverflow.com/questions/31385268/cakephp-3-new-fields-wont-save-correctly