Skip to content

Mass assignment

Jump to bottom
Marco E edited this page Sep 7, 2020 · 2 revisions

The create method is used to save a new model in a single line. The inserted model instance will be returned to you from the method. However, before doing so, you will need to specify either a fillable or guarded attribute on the model, as all Eloquent models protect against mass-assignment by default.

A mass-assignment vulnerability occurs when a user passes an unexpected HTTP parameter through a request, and that parameter changes a column in your database you did not expect. For example, a malicious user might send an is_admin parameter through an HTTP request, which is then passed into your model's create method, allowing the user to escalate themselves to an administrator.

So, to get started, you should define which model attributes you want to make mass assignable. You may do this using the $fillable property on the model. For example, let's make the time, title and description attribute of our Meeting model mass assignable:

<?php

namespace App;

use Illuminate\Database\Eloquent\Model;

class Meeting extends Model
{
    /**
     * The attributes that are mass assignable.
     *
     * @var array
     */
    protected $fillable = [
        'time', 'title', 'description',
    ];

    /**
     * The users that belong to the meeting.
     */
    public function users()
    {
        return $this->belongsToMany('App\User');
    }
}

meeting-API - 2020

Home

  1. Setup the project
  2. Connecting to database
  3. Add controllers
  4. Add routes
  5. Add models and migration files
  6. Add relations
  7. Add mass assignment for Meeting model
  8. Requests and responses
  9. Stateless authentication
  10. Authentication with Sanctum
  11. Test the API
Clone this wiki locally