Task 7 - update forbidden field

README.md

@@ -80,3 +80,11 @@ Test method `test_form_request_validation()`.
 
 ---
 
+## Task 7. Update Forbidden Field.
+
+In `app/Http/Controllers/UserController.php` file, in `update` method, the code updates all the fields. But users.is_admin should not be updated, even if it's passed via the request. Change the line with `$request->all()` to avoid this security issue of updating the admin.
+
+Test method `test_update_forbidden_field()`.
+
+---
+

app/Http/Controllers/UserController.php

@@ -0,0 +1,18 @@
+<?php
+
+namespace App\Http\Controllers;
+
+use App\Http\Requests\UpdateUserRequest;
+use App\Models\User;
+
+class UserController extends Controller
+{
+    public function update(User $user, UpdateUserRequest $request)
+    {
+        // TASK: change this line to not allow is_admin field to be updated
+        // Update only the fields that are validated in UpdateUserRequest
+        $user->update($request->all());
+
+        return 'Success';
+    }
+}

app/Http/Requests/UpdateUserRequest.php

@@ -0,0 +1,31 @@
+<?php
+
+namespace App\Http\Requests;
+
+use Illuminate\Foundation\Http\FormRequest;
+
+class UpdateUserRequest extends FormRequest
+{
+    /**
+     * Determine if the user is authorized to make this request.
+     *
+     * @return bool
+     */
+    public function authorize()
+    {
+        return true;
+    }
+
+    /**
+     * Get the validation rules that apply to the request.
+     *
+     * @return array
+     */
+    public function rules()
+    {
+        return [
+            'name' => 'required',
+            'email' => 'required',
+        ];
+    }
+}

app/Models/User.php

@@ -21,6 +21,7 @@ class User extends Authenticatable
         'name',
         'email',
         'password',
+        'is_admin',
     ];
 
     /**

database/migrations/2021_11_29_132328_add_is_admin_to_users_table.php

@@ -0,0 +1,32 @@
+<?php
+
+use Illuminate\Database\Migrations\Migration;
+use Illuminate\Database\Schema\Blueprint;
+use Illuminate\Support\Facades\Schema;
+
+class AddIsAdminToUsersTable extends Migration
+{
+    /**
+     * Run the migrations.
+     *
+     * @return void
+     */
+    public function up()
+    {
+        Schema::table('users', function (Blueprint $table) {
+            $table->boolean('is_admin')->default(false);
+        });
+    }
+
+    /**
+     * Reverse the migrations.
+     *
+     * @return void
+     */
+    public function down()
+    {
+        Schema::table('users', function (Blueprint $table) {
+            //
+        });
+    }
+}

routes/web.php

@@ -19,6 +19,7 @@ Route::resource('projects', \App\Http\Controllers\ProjectController::class);
 Route::resource('products', \App\Http\Controllers\ProductController::class);
 Route::resource('teams', \App\Http\Controllers\TeamController::class);
 Route::resource('items', \App\Http\Controllers\ItemController::class);
+Route::put('users/{user}', [\App\Http\Controllers\UserController::class, 'update']);
 
 Route::get('/', function () {
     return view('welcome');

tests/Feature/ValidationTest.php

@@ -81,4 +81,22 @@ class ValidationTest extends TestCase
         ]);
         $response->assertStatus(200);
     }
+
+    public function test_update_forbidden_field()
+    {
+        $user = User::factory()->create();
+
+        // field is_admin should not be possible to update
+        $updatedUser = [
+            'name' => 'Updated name',
+            'email' => 'updated@email.com',
+            'is_admin' => 1
+        ];
+        $response = $this->put('users/' . $user->id, $updatedUser);
+        $response->assertStatus(200);
+
+        $user = User::where('name', $updatedUser['name'])->first();
+        $this->assertNotNull($user);
+        $this->assertEquals(false, $user->is_admin);
+    }
 }