-
Notifications
You must be signed in to change notification settings - Fork 11.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unable to update nested JSON columns using "->" sign #34630
Comments
This is for security. |
@taylorotwell would it work if we allow users to specify instead $fillable using wildcard? For example, we can have On the side note, should we consider removing this? https://laravel.com/docs/8.x/queries#updating-json-columns |
That still lets an outside user put ANY key in your JSON column. |
Can't you list "devices->key" explicitly in fillable? |
the control of which attributes will be passed in from controllers can be done through request object like |
@taylorotwell I'm facing the same issue as mentioned #33975 (comment) as my attributes are dynamic which was why I decided to use JSON instead of creating a column in the first place |
Description:
Recently there was a change to verify that columns that are being updated are actual columns:
#33777
Inside this commit, the feature to get the actual column name from nested attribute has been removed
4a15c31#diff-17e37c1b4a410ed3d77fd43a28c094e2
Before the changes, when we specify an update to a JSON attribute, it will get the column name and compare it with the guarded key. For example, when we specify and update as follows:
It will use "wallet" to compare against the guarded attributes and therefore will allow the updates
After the changes, "wallet->balance" will be evaluated, returning false inside the
isGuardableColumn($key)
method and return theisGuarded($key)
as true due to the following:Steps To Reproduce:
Related PRs & commits
The text was updated successfully, but these errors were encountered: