Laravel mass assignment security policy
Question
The fill method of Illuminate\\Database\\Eloquent\\Model is used for mass assignment, and it is called by the model constructor, which in turn is called by the create method.
Why doesn't it throw any exception if one or more "guarded" attributes are found inside the input array? Instead, it simply ignores them and keeps setting the "fillable" ones. An exception is only thrown when the model is "totally guarded" (ie no attribute is fillable).
Let's say that even a single guarded attribute is found where it shouldn't be: isn't that suspicious enough to be at least reported to the administrators?
For now, if I want to audit such a situation and likely cancel the operation , I have to check the input by myself just before the mass assignment: how is this supposed to make sense?
1 answers
solution1
0 ACCPTED 2014-02-03 17:39:27
最后,经过一番讨论 ,这似乎只不过是我不太同意的设计决定 。
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.