Mass assigment (fillable & guarded fields)

[Zizaco]

Summary

Due to the (by default) schemaless nature of MongoDB, ideally we would treat the entity schema at the application level.

A common practice to control the entity schema/fields when using the ActiveRecord pattern is to controll Mass Assigment.

Today there is no way to declare which fields of entity can be Mass Assigned.

Resources

About the subject and how other ORMs/ODMs behaves

https://en.wikipedia.org/wiki/Mass_assignment_vulnerability
https://code.tutsplus.com/tutorials/mass-assignment-rails-and-you--net-31695
https://orator-orm.com/docs/master/orm.html#mass-assignment
https://github.com/leroy-merlin-br/mongolid/blob/master/docs/basics.md#mass-assignment

What would be the ideal

• To have a simple way to declare for each entity what are the fields are available for Mass Assigment (blacklist and/or whitelist)
• This behavior should only takes place for Mass Assigment (user.set(<object>)), it should not affect single field assigment, i.e.: user.set('createdAt', new Date()) should work even if the 'createdAt' field is not fillable with Mass Assigment

@vadimdemedes what are you tought on this matter?

[vadimdemedes]

Interesting topic. I think it should be implemented as a plugin instead to keep the core lightweight. Unfortunately, I don't have time at the moment for it, so I can't give any ETAs. If you'd like to pick it up, I'd be happy to help if you'll have any questions about the API.