(12-19-2021, 08:55 PM)kilishan Wrote: Do you have the $allowedFields filled out in the model with only the fields that can be updated? The model should take care of only allowing those fields through and ignoring anything else in the entity.
I have the flag $protectFileds=false in the Model.
This is a great point, thanks kilishan. Probably it's time to better understand the allowed fields and protectedFileds of the Model.
I have a table with a lot of fields, some of those fields are filled by the user using a form, others are set by the controller during the process (like some flags or stuff like that).
To get things working I should put every field in $allowedFields. For some tables, this can be a time-wasting, also, I allowed everything every time, which does not sound like a good practice.
Let's say I have a contacts table. The tenant fills the form with: name, email and clicks "save".
I get the request, instantiate the Contact Entity, fill it with the POST requests, then I have to set some following params:
PHP Code:
$entity->highlight=true
$entity->start_tutorial=true
$entity->user_id = session('user_id')
$entity->tenant_id = session('tenant_id')
after an API server-to-server:
PHP Code:
$entity->stripe_customer_id = API_RESPONSE
...
...
and then $model->save($entity);
So, in the model, I should set (at least):
PHP Code:
protected $protectFields = true;
protected $allowedFields = ['name', 'email', 'tenant_id', 'user_id', 'highlight', 'start_tutorial', 'stripe_customer_id' ... all other params I want to save];
How do you guys treat this scenario?
