.set() will no longer accept values that are not a dynamic setter or in the model definition

Mick Hansen
Commit 7a7f3ddf authored Feb 21, 2014 by Mick Hansen
Showing with 37 additions and 1 deletions
changelog.md
lib/dao.js
test/dao/values.test.js
--- a/changelog.md
+++ b/changelog.md
@@ -5,6 +5,9 @@ Notice: All 1.7.x changes are present in 2.0.x aswell
 - [BUG] using include.attributes with primary key attributes specified should no longer result in multiple primary key attributes being selected [#1410](https://github.com/sequelize/sequelize/pull/1410)
 - [DEPENDENCIES] all dependencies, including Validator have been updated to the latest versions.
+#### Backwards compatability changes
+- .set() will no longer set values that are not a dynamic setter or defined in the model. This only breaks BC since .set() was introduced but restores original .updateAttributes functionality where it was possible to 'trust' user input.
 # v1.7.0-rc6
 - [BUG] Encode binary strings as bytea in postgres, and fix a case where using a binary as key in an association would produce an error [1364](https://github.com/sequelize/sequelize/pull/1364). Thanks to @SohumB

--- a/lib/dao.js
+++ b/lib/dao.js
@@ -162,6 +162,11 @@ module.exports = (function() {
          this._setInclude(key, value, options)
          return
        } else {
+          // If not raw, and attribute is not in model definition
+          if (!options.raw && Object.keys(this.Model.attributes).indexOf(key) === -1) {
+            return;
+          }
          // If attempting to set primary key and primary key is already defined, return
          if (this._hasPrimaryKeys && originalValue && this._isPrimaryKey(key)) {
            return
@@ -273,7 +278,7 @@ module.exports = (function() {
    options = Utils._.extend({}, options, fieldsOrOptions)
    if (!options.fields) {
-      options.fields = this.attributes
+      options.fields = Object.keys(this.Model.attributes)
    }
    if (options.returning === undefined) {

--- a/test/dao/values.test.js
+++ b/test/dao/values.test.js
@@ -62,6 +62,34 @@ describe(Support.getTestDialectTeaser("DAO"), function () {
        expect(user.get('updatedAt')).not.to.be.ok
      })
+      it('doesn\'t set value if not a dynamic setter or a model attribute', function() {
+        var User = this.sequelize.define('User', {
+          name: {type: DataTypes.STRING},
+          email_hidden: {type: DataTypes.STRING}
+        }, {
+          setterMethods: {
+            email_secret: function (value) {
+              this.set('email_hidden', value)
+            }
+          }
+        })
+        var user = User.build()
+        user.set({
+          name: 'antonio banderaz',
+          email: 'antonio@banderaz.com',
+          email_secret: 'foo@bar.com'
+        })
+        user.set('email', 'antonio@banderaz.com')
+        expect(user.get('name')).to.equal('antonio banderaz')
+        expect(user.get('email_hidden')).to.equal('foo@bar.com')
+        expect(user.get('email')).not.to.be.ok
+        expect(user.dataValues.email).not.to.be.ok
+      })
      describe('includes', function () {
        it('should support basic includes', function () {
          var Product = this.sequelize.define('Product', {