I'm updating a db record in laravel using eloquent like this:
($request is an object with the properties I want to update)
$book = Book::find($request->id)
$book->title = $request->title;
$book->author = $request->author;
$book->publisher = $request->publisher;
.
.
.
$book->something = $request->something;
$book->save();
It works fine but I wonder if it's possible to do it whitout having to explicity name the properties one by one since the names in $request are exactly the same as those of the model, something like:
$book = $request;
$book->save();
$book = Book::find($request->id);
$book->update($request->all());
More info here https://laravel.com/docs/5.6/queries#updates
However, before doing so, you will need to specify either a fillable or guarded attribute on the model, as all Eloquent models protect against mass-assignment by default.
A mass-assignment vulnerability occurs when a user passes an unexpected HTTP parameter through a request, and that parameter changes a column in your database you did not expect. For example, a malicious user might send an is_admin parameter through an HTTP request, which is then passed into your model's create method, allowing the user to escalate themselves to an administrator.
Read more about in documentations.
Related
I am trying to create access restrictions to a folder or resource inside of a section in a Moodle course using a Script. This restriction must be for groups of users and if you don't belong to that group you can not see the existing resources.
The operation programmatically I want to do is as follows:
I searched for information and there is very little documentation, in the documentation only puts how to do just that by the web link.
I know how to create groups, folders and sections programmatically from script, but I can not identify the tables to be used for these restrictions or what are the steps to follow.
So if anyone knows how to do it or have any examples or documentation that may be useful, it would be helpful.
Thanks in advance.
The classes which will be used to create the UI and check whether a user has access to your resource are located at:
availability/condition/group/classes/condition.php
availability/condition/group/classes/frontend.php
The data related to the conditions are formatted to JSON from the UI in Javascript, then sent and saved. My first guess would be that you need to recreate the JSON structure and save it into the table/column course_modules::availability. Once that is done I think you'll have to purge the cache from cm_info where the availability data is used to confirm whether the current user can access your resource.
update_moduleinfo - Saves the module form submitted data
cm_info - Checks whether the conditions are met
I followed your advice #FMC and I have done this function to my script that is responsible for giving permits to a group for a particular section of a course
and this is the code:
/**
* giving permits to a group for a particular section of a course
*
* #param $course course that contains the section to restrict access
* #param $sectionid id of the section to restrict access
* #param $groupid id of the group will have access
* #param $module id of the mdl_module to restrict access
*
*/
function grantPermission($course, $sectionid, $groupid, $module ){
global $DB;
$restriction = '{"op":"&","c":[{"type":"group","id":'. $groupid .'}],"showc":[true]}';
$cm= $DB->get_record('course_modules', array('course' => $course , 'section' => $sectionid, 'module' => $module ), '*', MUST_EXIST);
$course_module = new stdClass();
$course_module->id = $cm->id;
$course_module->course = $course;
$course_module->section = $sectionid;
$course_module->availability = $restriction;
$res = $DB->update_record('course_modules', $course_module);
if($res)
rebuild_course_cache($course, true);
return $res;
}
Can you check if is this what you meant #FMC? It works but I don't know if this is the best way.
Thank you!
I am working on a website, which already has a working registration form, using the ZfcUser module.
However,
I need to also be able to create a user via the admin page i've created.
Step by step it goes something like this:
Admin adds user by filling in first name, last name and email.
email gets sent to user.
user clicks validation link and gets redirected to website.
now the user only has to enter his desired password and he is done.
How would i be able to do this, if at all possible?
first of all, im not sure what would be the best aproach, but a few come to my mind.
I think the easier would be to load the register form in your admin, remember you can load it from any controller with the service manager, something like
$form = $sm->get('zfcuser_register_form');
and then you can work with it as you would do with any form, sending it to the view, and so.
You would have the full register form, with all the fields you have set as required in your zfcuser.global.php, including the password. I think it is good to set a temp password, and have the user change it later. also you could have its status as unconfirmed until the first password change.
If you dont want an specific field, you can take it out as you would with any form, by means of
$form->remove('element_name');
You would want to check the element names at ZfcUser\Form\Register
Also, remember that if you remove any field, you would have to modify the input filter, otherwise the validation will fail. For this, in your module's bootstrap, you should attach an event listener, something like this:
$em = $e->getApplication ()->getEventManager ();
$em->attach ( 'ZfcUser\Form\RegisterFilter', 'init', function ($e) {
$filter = $e->getTarget ();
//now modify the inputfilter as you need
});
Then, you will have to send the mail to the user. For that i will also use the event manager, at your bootstrap you register a listener for when the user is created, this is by means of
$sm = $e->getApplication ()->getServiceManager ();
$zfcServiceEvents = $sm->get ( 'zfcuser_user_service' )->getEventManager ();
$zfcServiceEvents->attach ( 'register.post', function ($e) {
$form = $e->getParam ( 'form' );
$user = $e->getParam ( 'user' );
//now you have all the info from the form and the already created user, so you can send the mail and whatever you need.
The last step, is to let the user change his password. To do this, i will send him to a module where you show the change password form, that you can retrieve with:
$sm->get('zfcuser_change_password_form');
or directly, sending him to the /user/change-password url that is one of the predefined with zfc-user.
I think this will be the cleanest way.
Another approach
If you dont like it that way, you can use another approach where you create your own form, fill it, save the data to a temp table, send the mail and then...when the user comes to set his password, you build a register form, with the fields pre-filled (and hidden, changing the input type to hidden, or by css) and let him send the form, so while he thinks he is sending just the password, actually he is sending all the registration form, and from here everything is like in normal registration.
For this solution you will also have to use the events, but probably you'd have to take a look at the register event,that is triggered when the form is sent, before the user is saved in the database, so you can modify any data you could need.
$zfcServiceEvents->attach ( 'register', function ($e) {
$form = $e->getParam ( 'form' );
And also you should take a look to the already mentioned init event, where you can retrieve the form before you show it to the user, and prefill any data from the temp table.
$events->attach ( 'ZfcUser\Form\Register', 'init', function ($e) {
$form = $e->getTarget ();
//now you set form element values from the temp table
Probably this is so confusing, but i hope you at least get a clue of where start from!
I have two tables : Users & Profiles. A user has one profile (1:1), a profile can be affected to many users, each profile has many modules, each module has many actions.
I'm sending this object from an asmx to a aspx page using a direct service call.
I got an error because of lazy loading ... so I disabled the lazy loading.
this.Configuration.LazyLoadingEnabled = false;
this works fine, I got my user, with the profile null.
To build the menu tree I have to retrieve the profile. I included It :
User user = new User();
using (cduContext db = new cduContext())
{
// get the user
string encryptedPassword = Encryption.Encrypt(password);
user = (from u in db.Users
where u.UserName.Equals(login) &&
u.Password.Equals(encryptedPassword)
select u).FirstOrDefault();
// Include the users profile
user = db.Users.Include("Profile").FirstOrDefault();
}
return user;
I got this error in the javascript call function :
A circular reference was detected while serializing an object of type 'CDU.Entities.Models.User'.
When I made a quick watch on the user object, in asmx ( before sending it ) , I found, that the profile has included the list of the users who had this pofile, each user has his profile loaded ... etc
Any idea please ?
Note, your code should look like this:
using (cduContext db = new cduContext())
{
// get the user
string encryptedPassword = Encryption.Encrypt(password);
var user = from u in db.Users
where u.UserName.Equals(login) &&
u.Password.Equals(encryptedPassword)
select u;
// Include the users profile
return user.Include("Profile").FirstOrDefault();
}
In your code, you were throwing away the first query by overwriting it with the second. And there was no valid reason to create a blank user.
To address your problem, you're going to have make a decision on what you don't want to serialize. In your case, you probably don't want to serialize Profile.Users
You don't mention what serializer you're using. I'm assuming you're using the DataContract serializer?
EDIT:
You would mark your Profile.Users object with the [IgnoreDataMember] Attribute.
I'm using same form to new client and edit client in Code Igniter. Sometimes I'll include new client so the field must be empty. However, sometimes I'll edit a client and I must put respect value to a field.
For example:
echo form_input('client_name', $client_to_edit['client_name']);
How can I use "set_values()" and $client_to_edit['client_name'] to pass data to the field?
set_value() is really only needed for form_validation and in this case you'll probably need that too. Basically you need to determine if the form is editing or for a new client, if editing it needs to run a query on the database to return that users data and pass it to a variable.
echo form_input('client_name',set_value
('client_name',($user['client_name'] ? $user['client_name']:'')));
Basically what's happening is if the form is editing you're populating the $user variable in the controller with that users data. The set value statement has 3 options. First if the form is returning from form_validation it sets it to whatever was entered when the form was posted, if there is no post data it then looks to see if $user['client_name'] exists, if it does it uses that, if it doesn't it just returns blank.
Is there any way to access the user that initiated the request in build_filters override in tastypie.
I want to use the logged in user to give context to one of the filters for example filter contains the word Home and i want to use this as a lookup to the requesting users locations to find their home address.
If build filters took the request as an argument this would be easy as i could simply call
request.user.get_profile().userlocation_set.get(name_iexact=filters['location'])
Is there anyway to force the user into the list of filters or alternatively enrich get parameters before they are passed to build_filters.
There still isn't a great method for this. I'm currently overriding obj_get_list like so, so that I can manually pass the bundle object to build_filters:
def obj_get_list(self, bundle, **kwargs):
filters = {}
if hasattr(bundle.request, 'GET'):
filters = bundle.request.GET.copy()
filters.update(kwargs)
applicable_filters = self.build_filters(filters=filters, bundle=bundle)
try:
objects = self.apply_filters(bundle.request, applicable_filters)
return self.authorized_read_list(objects, bundle)
except ValueError:
raise BadRequest("Invalid resource lookup data provided (mismatched type).")
There is currently an open pull request for this change:
https://github.com/toastdriven/django-tastypie/pull/901
I haven't found a way to do that. I generally 'cheat' by adding the code into apply_authorization_limits where the session is available.