stackoom
  简体   繁体   中英

Update non-fillable field in Laravel Model

 原文  2019-12-20 12:16:10       php/ laravel/ eloquent

Question

I have my User table, the default table laravel comes with when you do the whole php artisan make:auth stuff, and I've added a boolean system_admin column, and a couple other similar columns

Now when someone registers to the site, I don't want a malicious person to be able to just give themselves that right, so I haven't put that field in the fillable array in the User.php model file.

First question then: is that the right decision for the right reason?

But now I'm working on a system admin page, which should allow people to modify properties like that, but in my route, that's only accessible by SystemAdmins, I have code that looks like this:

public function updateUser($userId, Request $request) {
        $user = User::find($userId);
        $update = $request->all();
        $user->update($update);

And of course, because those columns aren't fillable , this request doesn't work for those fields.

But I want it to, because this particular route is protected by middleware that verifies a system_admin should have access to it.

So how do I update these non-fillable columns, without allowing nonSysAdmins to update the same columns?

2 answers

solution1
 1 ACCPTED  2019-12-20 12:35:54

I used lagbox answer to come up with an alternative solution that goes over every updating variable key in my route:

public function updateUser($userId, Request $request) {
    $user = User::find($userId);
    $update = $request->all();
    foreach($update as $key => $value) {
        $user->$key = $value;
    }
    $user->save();

    $newUser = User::find($userId);
    return response()->json($newUser->toJson());
}

I'm hoping there's nothing wrong with doing it this way.

solution2
 1  2019-12-20 12:42:38

I haven't put that field in the fillable array in the User.php model file

Yes, that is the right decision as it requires you explicitly set that value. That said, it can still be set explicitly in code (which is probably what you want).

So how do I update these non-fillable columns, without allowing nonSysAdmins to update the same columns?

I'm unfamiliar with the update() method. Also, normally, Laravel uses something called route binding that automagically initializes an object in the controller based on the route (but that's not crucial to your issue).

Your controller code should look something like this:

public function update(Request $request)
{
    $user = User::findOrFail($request->id);
    $user->fill($request->all());
    $user->system_admin = $request->system_admin;
    $user->save();
    …
}

Note that unless you add fields to $fillable you'll have to specify each field you want to update manually (as shown). Looping through the keys is problematic as there may be all kinds of fields that shouldn't be a part of the saved model.

Since you are using guards (or similar) to limit who has access to those routes, it shouldn't be a problem to make system_admin fillable.

HTH

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Update non fillable field in Laravel? Mass assignment working on non-fillable fields model permissions - laravel fillable Laravel not adhering to Mass Assignment $fillable rules for related model update eloquent specific $fillable for Model::create() and another $fillable for Model->update() Laravel - USING or NOT USING fillable in laravel model? Laravel Model fillable float always formated LARAVEL how to change $fillable in Model from trait? Laravel 5 MassAssignmentException on update with Fillable Already Set? Does Laravel $fillable protect when using ->update()?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM