In yii2 app I have User model. For example, I have fields name and is_admin (0 or 1). When user signs up, he enters name only.
He has user/update page to edit his name. But, if you are admin, you can also edit everyones page and set is_admin field also (for admins it is visible on page).
Rules are like:
public function rules()
{
return [
['name', 'string'],
['is_admin', 'integer'],
];
}
Q: How to protect action from ability users to set them admins from user/update page by putting another <input name="User[…]">?
That means everyone can replace input attribute name="User[name]" to name="User[is_admin]" and set value to 1. Then $model->load(Yii::$app->request->post()) automatics sets is_admin var.
Yes, I can by hand empty is_admin in $_POST, but in real project I have 20+ fields in db table and a lot of actions, it is hard everytime to check what inputs I have in every view and compare.
Controller:
$model = User::findIdentity($id);
if ($model->load(Yii::$app->request->post())) {
if ($model->save())
...
}