[Feature Request] Allow create form to be pre-filled via URL variables

[hybridvision]

Originally I posted a question in the DevDojo forum about this and @marktopper asked that I submit an issue, so here goes...

Background

In my application, I have some related tables that I would like to pre-populate certain fields via a link in a custom view.

For example, I have a table clients and while editing a client record, I need to be able to add tasks for the current client. There is already a client_id foreign key in the tasks table and I've set up a relationship but I'm wondering what is the best way to pass the client_id across in a link from the main client record view? The goal is to have the client_id pre-filled to save extra data entry.

I guess I will need to create a custom route and view for the tasks add form and pre-populate the data from the URL. It shouldn't be too complicated but since this seems like a fairly common scenario, I'm curious to know how others have done it...

Feature Request

If possible, it would be great for Voyager to support or streamline this functionality in some way. For my use, I currently only need to pass one value so I was thinking of doing it via GET parameters but maybe a POST would work better for populating multiple fields. I do like the simplicity of GET parameters when creating links to the form.

If there are any other details you need, please let me know.

Thanks for all your amazing work on Voyager!

[marktopper]

I personally think that we could use GET until someone requests support for a longer payload.

[hybridvision]

@marktopper: I've been studying the code more and have managed to make this work in a simple manner by adding a few lines to the beginning of the handle function in src/FormFields/AbstractHandler.php:

// Allow override of value via querystring
$field = $row->field;

if (Request::get($field) !== null) {
    $dataTypeContent->$field = Request::get($field);
}

It's probably not the most elegant solution, so maybe others can suggest improvements, but for now it allows the value of any field to be pre-filled by adding a GET parameter with the same name as the field.

What do you think?

[marktopper]

That looks like a good approach. Will you open a pull request with this?

[hybridvision]

Yes, I'll make a pull request as soon as I have time.

[fletch3555]

I'd be hesitant to do it that way, at least without some checks in place. That could potentially lead to injection-style attacks if we're not careful with it. Also, there may be certain fields we don't want populated this way (e.g. "password")

[hybridvision]

You're right @fletch3555 - for my particular use case, this isn't such a concern but for something that would be included in the core, it would need much more serious consideration.

Having said that, wouldn't the underlying permissions cover most of the security concerns? My changes just allow pre-filling / overriding of certain fields but you'd still need to be authorised to add / edit for the data type.

Do you have any ideas on how you would approach this?

[MrCrayon]

Do you have any ideas on how you would approach this?

What about having a property in Model?

public $prefillable = ['name', 'surname'];