data_get can call delete method on Eloquent models accidentally #15424
Comments
|
Good catch, I can reproduce as well, an error is thrown but the record is indeed deleted:
Easier way to reproduce: $user = User::find(1);
$user->delete; |
|
That's a known issue, you must not use a name of a method in Model.php as an attribute name, avoid doing this because it has multiple issues not only this one. I suggest using |
|
In my case, there was no "delete" attribute. I wanted to have a non-bound field checkbox to confirm the deletion of a related model, the Form helper tried to look up the value of "delete" in the background and produced this unexpected result. I understand it having looked at the code why this happened, but it is a potentially dangerous side-effect. |
|
I've submitted a fix that should prevent that #15438 |
Description:
Using Laravel Collective HTML with a bound form and a field named 'delete' causes the record to be deleted.
Steps To Reproduce:
In a view I had the following (not the entire view, but the essential details)
{!! form_model(entity) !!}
{!! form_checkbox('delete') !!}}
{!! form_close() !!}
This uses data_get internally, which tries to get 'delete' from the model and 'magically' calls the entity delete method. This has potential for serious problems.
The text was updated successfully, but these errors were encountered: