Crud: When input validation occurs, can we have the option to use Laravels validated() ?
The Laravel Validator has a function called validated() that returns "_the attributes and values that were validated_" - i.e. if you don't have a rule for an attribute, it won't be in this response.
Why do we want this? Let's say you allow creating/updating a model but only want some fields to be editable.
E.g. we have this operation:
protected function setupUpdateOperation()
{
$this->crud->setValidation(UfoRequest::class);
$this->crud->addFields([
['name' => 'barcode', 'type' => 'text', 'label' => 'Barcode', 'attributes' => ['readonly' => 'readonly', 'class' => 'form-control-plaintext']],
['name' => 'notes', 'type' => 'textarea', 'label' => 'Notes'],
]);
}
Note our readonly attribute. Great! The barcode is not editable by the user. BUT WAIT! They know about "Inspect Element" and change it that way... And when they submit the barcode gets changed!
How can we securely prevent barcode from being updated?
See the bottom for my example model and validation.
The Backpack docs mention all attributes should be $fillable - so we could take barcode out of there but this can hurt other aspects of our code.
Am I missing some obvious functionality in Laravel/Backpack that can be used here? (Apologies if so!)
Or does this become a feature request...?
Thanks!
Example Model:
class Ufo extends Model {
protected $fillable = [
'type',
'barcode',
'user_id',
'data',
'notes',
];
}
Example Validation/Request:
class UfoRequest extends FormRequest {
public function rules()
{
return [
'notes' => 'string|nullable'
];
}
}
bnxdev
All 4 comments
Hey @bnxio
Thanks for reporting in. I think a good way to don't let crud update your barcode and show it in the form is to remove the barcode from request before saving.
To override the default crud saving you could do something along this lines:
use \Backpack\CRUD\app\Http\Controllers\Operations\UpdateOperation { update as updateTrait; }
public function update() {
$request = $this->crud->request->request;
if ($request->has('barcode') {
$request->remove('barcode');
}
return $this->updateTrait();
}
I am going to close this as this is not the right place to ask this kind of questions, also you might want to have a read: overriding crud default methods
If you found a better solution to achieve this please feel free to continue this discussion, it might be something we are missing in core.
Best,
Pedro
pxpm
on 17 Jan 2020
@pxpm
Thank for your answer. Also I think the "overriding crud default methods" should be mentioned somewhere in the upgrade guide
```php
// before BP3
$request->request->add(['author_id' => 123]); //add request\
// now BP4
$this->crud->request->request->add(['author_id' => 123]);
$this->crud->addField(['type' => 'hidden', 'name' => 'author_id']);
jrbecart
on 20 Jan 2020
Hey @jrbecart
I think you have a point there.
We could provide more examples in the upgrade guide like we provide in callbacks documentation.
I'v submited a PR PR 88 to add the examples in the callback docs to the upgrade guide.
Thanks for your contribution :)
Best,
Pedro
pxpm
on 20 Jan 2020
Merged! Thank you!
tabacitu
on 21 Jan 2020
Related issues
GenericHero01
路
3Comments
voidstate
路
3Comments
dividy
路
3Comments
mklahorst
路
3Comments
abewartech
路
3Comments
Most helpful comment
Hey @bnxio
Thanks for reporting in. I think a good way to don't let crud update your barcode and show it in the form is to remove the barcode from request before saving.
To override the default crud saving you could do something along this lines:
I am going to close this as this is not the right place to ask this kind of questions, also you might want to have a read: overriding crud default methods
If you found a better solution to achieve this please feel free to continue this discussion, it might be something we are missing in core.
Best,
Pedro