Laravel批量分配安全策略
[英]Laravel mass assignment security policy
问题描述
The fill method of Illuminate\\Database\\Eloquent\\Model is used for mass assignment, and it is called by the model constructor, which in turn is called by the create method. 
Illuminate\\Database\\Eloquent\\Model的fill方法用于批量分配,并由模型构造函数调用,而模型构造函数又由create方法调用。
Why doesn't it throw any exception if one or more "guarded" attributes are found inside the input array? 如果在输入数组中找到一个或多个“受保护”属性,为什么不抛出任何异常? Instead, it simply ignores them and keeps setting the "fillable" ones. 相反,它只是忽略它们,并继续设置“可填充”的那些。 An exception is only thrown when the model is "totally guarded" (ie no attribute is fillable). 仅当模型处于“完全防护”状态时(即没有可填充的属性),才会引发异常。
Let's say that even a single guarded attribute is found where it shouldn't be: isn't that suspicious enough to be at least reported to the administrators? 假设甚至在不应该发现的地方都找到了一个受保护的属性:它是否可疑到至少可以报告给管理员的程度?
For now, if I want to audit such a situation and likely cancel the operation , I have to check the input by myself just before the mass assignment: how is this supposed to make sense? 现在,如果我想审核这种情况并可能取消操作 ,则必须在大规模分配之前亲自检查输入内容:这应该有什么意义?
1 个解决方案
解决方案1
0 已采纳 2014-02-03 17:39:27
最后,经过一番讨论 ,这似乎只不过是我不太同意的设计决定 。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.