https://stackoverflow.com/questions/21364062
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianAt last, after some discussion, it really seems to be nothing more than a design decision which I don't quite agree with.
Laravel mass assignment security policy
-
02-10-2022 - |
Question
The fill method of Illuminate\Database\Eloquent\Model is used for mass assignment, and it is called by the model constructor, which in turn is called by the create method.
Why doesn't it throw any exception if one or more "guarded" attributes are found inside the input array? Instead, it simply ignores them and keeps setting the "fillable" ones. An exception is only thrown when the model is "totally guarded" (i.e. no attribute is fillable).
Let's say that even a single guarded attribute is found where it shouldn't be: isn't that suspicious enough to be at least reported to the administrators?
For now, if I want to audit such a situation and likely cancel the operation, I have to check the input by myself just before the mass assignment: how is this supposed to make sense?
Solution
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
