Hi,

Instead of mass-assigning, leave the is_admin field out of the fillable array as you have already done. Then, manually assign it when, for example, a checkbox is checked.

So, imagine you have a $user variable. You have already queried the database and gotten the user that the admin wants to mark as admin. Then, what you do is simply:

$user->isAdmin = true; // if your field is boolean, or
$user->isAdmin = 1; // if your field is a tinyint

Thank you for the quick response. I am not really sure I understand what you are saying. If I understand you correctly than you mean something like this?

if ($validator->fails())
		{
			return Redirect::back()->withErrors($validator)->withInput();
		}

		$user->update($data);
		
    // adding this to solve the problem
		if (Input::get('is_admin', false)) {
			$user->is_admin = true;
			$user->save();
		}

It works like this but how is it more secure? Let's say that evil user come and create hidden field on the front-end registration form and add this is_admin flag. Than it would get assigned anyway right?

However from your answer I got an idea that might help. Maybe if I first create Auth::user()->is_admin to determine if current user is admin or not than perhaps I could assume that it is ok to let it save.

I am not sure, but there may be a method called unguard you can use before you save your changes.

$user->unguard();
$user->update($data);

Otherwise, what you could be doing is to use the fill method. So in your case (from the code above), I would do it like this:

$user->fill($data);
$user->is_admin = !! Input::get('is_admin'); // Double !! makes sure we insert a boolean (true or false).
$user->save();

Thank you but would it protect me from the scenario above with the "Evil user" that would want to make admin account even when he should not be able to do it?