search

kodeine / laravel-meta

Fluent Meta Data for Eloquent Models, as if it is a property on your model
MIT License
400 stars 90 forks source link

__set() can also set guarded and not fillable attributes #71

Closed thewebartisan7 closed 2 years ago

thewebartisan7 commented 4 years ago

Below code in __set() method apart that make a query for each field when you create a new model, make fillable also guarded and not fillable attributes of the model:

        if (\Schema::connection($this->connection)->hasColumn($this->getTable(), $key)) {
            parent::setAttribute($key, $value);

            return;
        }

I am not yet sure if below solution could be better for avoid this security break, since you can't anymore use something like:

User::create($request->all())

since also not fillable and guarded attributes are set.

This is proposed solution:

        if(in_array($key, parent::getFillable())) {
            parent::setAttribute($key, $value);

            return;
        }

or even better:

        if(in_array($key, parent::getFillable()) && !in_array($key, parent::getGuarded())) {
            parent::setAttribute($key, $value);

            return;
        }

What do you think?

thewebartisan7 commented 4 years ago

Same issue happen with code below:


if (array_key_exists($key, parent::getAttributes())) {
            parent::setAttribute($key, $value);

            return;
        }

line 382

And could be solved in the same way:

        if(in_array($key, parent::getFillable()) && !in_array($key, parent::getGuarded())) {
            parent::setAttribute($key, $value);

            return;
        }

I am also not yet sure why this two similar check it's done.

I mean if attributes is checked here, and is found, not need to check if exist in database table that column. If Eloquent don't find it, it should not exists, I think?

kodeine commented 4 years ago

Hello, can you please send a PR request and ill merge this in?