getStrippedSaveRequest might not be necessary

[eduardoarandah]

Feature Request

What's the feature you think Backpack should have?

$request->validated()

Have you already implemented a prototype solution, for your own project?

yes

Do you see this as a core feature or an add-on?

core feature

The original problem

Old backpack versions performed save operation on $request->all()
giving way to malicious insertions by adding fields artificially in the request.
(remember @tabacitu ? )

This gave way to /src/app/Library/CrudPanel/Traits/Fields.php
getStrippedSaveRequest function which effectively prevents it.

However, this might not be necessary by simply using $request->validated()
https://laravel.com/docs/7.x/validation#form-request-validation

It works, why change?

A common scenario is modifying data just before the insertion.
Or triggering something just after.

This might simplify things a little for novice users.

NOTE: tbh I'm not 100% sure about the validated() method and its nuances

[pxpm]

I am just not sure in the scenario you add 3 fields A, B, C.

A,B are required in request. C has no validation.

$this->crud->validateRequest() would validate both A and B and keep C unvalidated in request.

In this scenario, $request->validated() would return only A,B (the fields that was actually validated) or A,B,C because technically C did not fail validation ?

What if you don't have any form request for validation of any of the fields? What would be the return of ->validated()

Best,
Pedro

[eduardoarandah]

I am just not sure in the scenario you add 3 fields A, B, C.

A,B are required in request. C has no validation.

$this->crud->validateRequest() would validate both A and B and keep C unvalidated in request.

In this scenario, $request->validated() would return only A,B (the fields that was actually validated) or A,B,C because technically C did not fail validation ?

If you need A, B, C fields in your controller, then you need at least A,B,C in the request validation, other fields would be ignored. (which is perfect)

If C doesn't need validation you can use nullable
https://laravel.com/docs/7.x/validation#rule-nullable

I think there would be a problem is backpack generates zero validation rules... all fields would be ignored

What if you don't have any form request for validation of any of the fields? What would be the return of ->validated()

if you don't have a form request then ->validated doesn't exist

->validated() is part of use Illuminate\Foundation\Http\FormRequest; not part of use Illuminate\Http\Request;

I got to the conclusion that this might be the right path to go, since that's the code Blueshift generates, have you used it?

[eduardoarandah]

To auto generate validation rules there's this package. Maybe there's a way of using it to fill rules section? idk

https://crestapps.com/laravel-code-generator/docs/2.2#how-to-create-form-request

[pxpm]

Hum.. from my understanding getStrippedSaveRequest does not hit the Resquest file. It checks if the field names that are in request matches the ones user added with CRUD::field('name') in controller. Then you can validate one or many fields as you would like in request.

    public function getStrippedSaveRequest()
    {
        $setting = $this->getOperationSetting('saveAllInputsExcept');
        if ($setting == false || $setting == null) {
            return $this->getRequest()->only($this->getAllFieldNames());
        }

        if (is_array($setting)) {
            return $this->getRequest()->except($this->getOperationSetting('saveAllInputsExcept'));
        }

        return $this->getRequest()->only($this->getAllFieldNames());
    }

[tabacitu]

I agree with both of you 😂: the way I see it, indeed getStrippedSaveRequest() is NOT needed, if all fields are declared inside the validation (even as nullable). But I think in real life, there usually are fields there that are not declared inside the validation file, but are declared just inside the CrudController.

Though I would love to simplify this part of the saving process, personally I don't think we can remove getStrippedSaveRequest() at this time and require everybody to have all fields inside the validation too:

1. it would be a breaking change;
2. it would require the developer to remember to add the field both in the controller, and in the validation file; so for adding one field you'd need to edit two files; which - if I remember correctly, is the exact reason why we added getStrippedSaveRequest(), so that the developer can just make this change inside the CrudController - not needing to edit both the CrudController and the Model's $fillable array;

So for convenience, for the time being, I'd keep getStrippedSaveRequest().
I'm open to other opinions and arguments though!

[jcastroa87]

Hi.

Due to not activity on many years i will close this discussion, if there is needed feel free to reopen or create a new one.

Cheers.