Hi,
Instead of mass-assigning, leave the is_admin
field out of the fillable
array as you have already done. Then, manually assign it when, for example, a checkbox is checked.
So, imagine you have a $user
variable. You have already queried the database and gotten the user that the admin wants to mark as admin. Then, what you do is simply:
$user->isAdmin = true; // if your field is boolean, or
$user->isAdmin = 1; // if your field is a tinyint
Thank you for the quick response. I am not really sure I understand what you are saying. If I understand you correctly than you mean something like this?
if ($validator->fails())
{
return Redirect::back()->withErrors($validator)->withInput();
}
$user->update($data);
// adding this to solve the problem
if (Input::get('is_admin', false)) {
$user->is_admin = true;
$user->save();
}
It works like this but how is it more secure? Let's say that evil user come and create hidden field on the front-end registration form and add this is_admin
flag. Than it would get assigned anyway right?
However from your answer I got an idea that might help. Maybe if I first create Auth::user()->is_admin
to determine if current user is admin or not than perhaps I could assume that it is ok to let it save.
I am not sure, but there may be a method called unguard
you can use before you save your changes.
$user->unguard();
$user->update($data);
Otherwise, what you could be doing is to use the fill
method. So in your case (from the code above), I would do it like this:
$user->fill($data);
$user->is_admin = !! Input::get('is_admin'); // Double !! makes sure we insert a boolean (true or false).
$user->save();
Thank you but would it protect me from the scenario above with the "Evil user" that would want to make admin account even when he should not be able to do it?
For now I will use my own solution inspired by @parham90. I hope that I am not overlooking something important but I think that it should be secure. In case someone has similar problem, I'll post my code below.
if ($validator->fails()) {
return Redirect::back()->withErrors($validator)->withInput();
}
if (Auth::user()->is_admin) {
$user->is_admin = Input::get('is_admin', false);
}
$user->update($data);
Sign in to participate in this thread!
The Laravel portal for problem solving, knowledge sharing and community building.
The community