I have an app with a Users table with columns: id|name|email|is_admin. I want admins to be able to set other users as admins.
In models/User.php I prevent mass-assignment with:
protected $fillable = ['name', 'email'];
Laravel 4 Role Based Mass Assignment concludes that Laravel has no such feature.
My question is, what is a viable work-around? How can I allow only admins to update the column 'is_admin' in my database?
Extend your User model to create an admin-only version without the mass-assignment protection.
In the new class, override the $fillable property:
class UnprotectedUser extends User
{
protected $fillable = [<all fields>];
}
Then use the new model in your admin-specific code:
$user = UnprotectedUser::create($arrayOfAllFields);
Be sure to use the original class in as many places as possible so that you can continue to take advantage of the mass-assignment protection.
Actually, the following code:
protected $fillable = ['name', 'email'];
will prevent from Mass-Assignment which means that, someone can't use something like this:
User::create(['name' => 'xxx', 'email' =>'[email protected]', 'is_admin' => 1]);
In this case, the is_admin field won't be updated but it's still possible do the same thing using something like this (it's not Mass Assignment):
$user = User::find($id); // Or $user = new User; (when creating a new user);
$user->name = 'xxx';
$user->email = '[email protected]';
$user->is_admin = 1;
$user->save();
So there will be no problem to update the User like this way.
