Support the ongoing development of Laravel.io →
Security Input Eloquent
Last updated 2 years ago.
0

Hi,

Instead of mass-assigning, leave the is_admin field out of the fillable array as you have already done. Then, manually assign it when, for example, a checkbox is checked.

So, imagine you have a $user variable. You have already queried the database and gotten the user that the admin wants to mark as admin. Then, what you do is simply:

$user->isAdmin = true; // if your field is boolean, or
$user->isAdmin = 1; // if your field is a tinyint
Last updated 2 years ago.
0

Thank you for the quick response. I am not really sure I understand what you are saying. If I understand you correctly than you mean something like this?

if ($validator->fails())
		{
			return Redirect::back()->withErrors($validator)->withInput();
		}

		$user->update($data);
		
    // adding this to solve the problem
		if (Input::get('is_admin', false)) {
			$user->is_admin = true;
			$user->save();
		}

It works like this but how is it more secure? Let's say that evil user come and create hidden field on the front-end registration form and add this is_admin flag. Than it would get assigned anyway right?

However from your answer I got an idea that might help. Maybe if I first create Auth::user()->is_admin to determine if current user is admin or not than perhaps I could assume that it is ok to let it save.

Last updated 2 years ago.
0

I am not sure, but there may be a method called unguard you can use before you save your changes.

$user->unguard();
$user->update($data);

Otherwise, what you could be doing is to use the fill method. So in your case (from the code above), I would do it like this:

$user->fill($data);
$user->is_admin = !! Input::get('is_admin'); // Double !! makes sure we insert a boolean (true or false).
$user->save();
Last updated 2 years ago.
0

Thank you but would it protect me from the scenario above with the "Evil user" that would want to make admin account even when he should not be able to do it?

Last updated 2 years ago.
0
Solution

For now I will use my own solution inspired by @parham90. I hope that I am not overlooking something important but I think that it should be secure. In case someone has similar problem, I'll post my code below.

if ($validator->fails()) {
	return Redirect::back()->withErrors($validator)->withInput();
}

if (Auth::user()->is_admin) {
	$user->is_admin = Input::get('is_admin', false);
}

$user->update($data);
Last updated 2 years ago.
0

Sign in to participate in this thread!

Eventy

Your banner here too?

Joe5 joe5 Joined 26 Oct 2014

Moderators

We'd like to thank these amazing companies for supporting us

Your logo here?

Laravel.io

The Laravel portal for problem solving, knowledge sharing and community building.

© 2024 Laravel.io - All rights reserved.