mirror of
https://github.com/10h30/Test-Laravel-Validation.git
synced 2026-07-11 10:55:53 +09:00
Task 7 - update forbidden field
This commit is contained in:
@@ -80,3 +80,11 @@ Test method `test_form_request_validation()`.
|
|||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
|
## Task 7. Update Forbidden Field.
|
||||||
|
|
||||||
|
In `app/Http/Controllers/UserController.php` file, in `update` method, the code updates all the fields. But users.is_admin should not be updated, even if it's passed via the request. Change the line with `$request->all()` to avoid this security issue of updating the admin.
|
||||||
|
|
||||||
|
Test method `test_update_forbidden_field()`.
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
|||||||
@@ -0,0 +1,18 @@
|
|||||||
|
<?php
|
||||||
|
|
||||||
|
namespace App\Http\Controllers;
|
||||||
|
|
||||||
|
use App\Http\Requests\UpdateUserRequest;
|
||||||
|
use App\Models\User;
|
||||||
|
|
||||||
|
class UserController extends Controller
|
||||||
|
{
|
||||||
|
public function update(User $user, UpdateUserRequest $request)
|
||||||
|
{
|
||||||
|
// TASK: change this line to not allow is_admin field to be updated
|
||||||
|
// Update only the fields that are validated in UpdateUserRequest
|
||||||
|
$user->update($request->all());
|
||||||
|
|
||||||
|
return 'Success';
|
||||||
|
}
|
||||||
|
}
|
||||||
@@ -0,0 +1,31 @@
|
|||||||
|
<?php
|
||||||
|
|
||||||
|
namespace App\Http\Requests;
|
||||||
|
|
||||||
|
use Illuminate\Foundation\Http\FormRequest;
|
||||||
|
|
||||||
|
class UpdateUserRequest extends FormRequest
|
||||||
|
{
|
||||||
|
/**
|
||||||
|
* Determine if the user is authorized to make this request.
|
||||||
|
*
|
||||||
|
* @return bool
|
||||||
|
*/
|
||||||
|
public function authorize()
|
||||||
|
{
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Get the validation rules that apply to the request.
|
||||||
|
*
|
||||||
|
* @return array
|
||||||
|
*/
|
||||||
|
public function rules()
|
||||||
|
{
|
||||||
|
return [
|
||||||
|
'name' => 'required',
|
||||||
|
'email' => 'required',
|
||||||
|
];
|
||||||
|
}
|
||||||
|
}
|
||||||
@@ -21,6 +21,7 @@ class User extends Authenticatable
|
|||||||
'name',
|
'name',
|
||||||
'email',
|
'email',
|
||||||
'password',
|
'password',
|
||||||
|
'is_admin',
|
||||||
];
|
];
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
|||||||
@@ -0,0 +1,32 @@
|
|||||||
|
<?php
|
||||||
|
|
||||||
|
use Illuminate\Database\Migrations\Migration;
|
||||||
|
use Illuminate\Database\Schema\Blueprint;
|
||||||
|
use Illuminate\Support\Facades\Schema;
|
||||||
|
|
||||||
|
class AddIsAdminToUsersTable extends Migration
|
||||||
|
{
|
||||||
|
/**
|
||||||
|
* Run the migrations.
|
||||||
|
*
|
||||||
|
* @return void
|
||||||
|
*/
|
||||||
|
public function up()
|
||||||
|
{
|
||||||
|
Schema::table('users', function (Blueprint $table) {
|
||||||
|
$table->boolean('is_admin')->default(false);
|
||||||
|
});
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Reverse the migrations.
|
||||||
|
*
|
||||||
|
* @return void
|
||||||
|
*/
|
||||||
|
public function down()
|
||||||
|
{
|
||||||
|
Schema::table('users', function (Blueprint $table) {
|
||||||
|
//
|
||||||
|
});
|
||||||
|
}
|
||||||
|
}
|
||||||
@@ -19,6 +19,7 @@ Route::resource('projects', \App\Http\Controllers\ProjectController::class);
|
|||||||
Route::resource('products', \App\Http\Controllers\ProductController::class);
|
Route::resource('products', \App\Http\Controllers\ProductController::class);
|
||||||
Route::resource('teams', \App\Http\Controllers\TeamController::class);
|
Route::resource('teams', \App\Http\Controllers\TeamController::class);
|
||||||
Route::resource('items', \App\Http\Controllers\ItemController::class);
|
Route::resource('items', \App\Http\Controllers\ItemController::class);
|
||||||
|
Route::put('users/{user}', [\App\Http\Controllers\UserController::class, 'update']);
|
||||||
|
|
||||||
Route::get('/', function () {
|
Route::get('/', function () {
|
||||||
return view('welcome');
|
return view('welcome');
|
||||||
|
|||||||
@@ -81,4 +81,22 @@ class ValidationTest extends TestCase
|
|||||||
]);
|
]);
|
||||||
$response->assertStatus(200);
|
$response->assertStatus(200);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public function test_update_forbidden_field()
|
||||||
|
{
|
||||||
|
$user = User::factory()->create();
|
||||||
|
|
||||||
|
// field is_admin should not be possible to update
|
||||||
|
$updatedUser = [
|
||||||
|
'name' => 'Updated name',
|
||||||
|
'email' => 'updated@email.com',
|
||||||
|
'is_admin' => 1
|
||||||
|
];
|
||||||
|
$response = $this->put('users/' . $user->id, $updatedUser);
|
||||||
|
$response->assertStatus(200);
|
||||||
|
|
||||||
|
$user = User::where('name', $updatedUser['name'])->first();
|
||||||
|
$this->assertNotNull($user);
|
||||||
|
$this->assertEquals(false, $user->is_admin);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user