search

cloudcreativity / laravel-json-api

JSON API (jsonapi.org) package for Laravel applications.
http://laravel-json-api.readthedocs.io/en/latest/
Apache License 2.0
780 stars 109 forks source link

Security: allowed attributes #405

Closed rekrios closed 5 years ago

rekrios commented 5 years ago

Hi again) I want to make sure of something... So, right now, if someone uses the same Model and will extend "protected $fillable ... " with some additional params, then anyone can update this params from jsonapi without validation ? If so, then my possible solutions: 1) create folder like jsonapiModels and place there extended models with overrided "protected $fillable ... " just for jsonapi 2) maybe add "allowed attributes" in the jsonapi library Asking coz we can use the same models for other purpose and want to make sure of this question.

lindyhopchris commented 5 years ago

The Eloquent adapter has properties on it for setting what JSON API fields are fillable, and which aren't. Does that not work in this case? https://laravel-json-api.readthedocs.io/en/latest/basics/adapters/#mass-assignment

rekrios commented 5 years ago

The Eloquent adapter has properties on it for setting what JSON API fields are fillable, and which aren't. Does that not work in this case? https://laravel-json-api.readthedocs.io/en/latest/basics/adapters/#mass-assignment

oh thanks, was searching for them at the wrong place