Revision #8 has been created by resurtm on Aug 2, 2011, 11:43:06 AM with the memo:
Fixed illegal Markdown bold
« previous (#7) next (#9) »
Understanding "Safe" Validation Rules
Forms, Validation, Safe, Massive Assignment
[...]After all, if the developer configures the form with certain fields, shouldn't they all just be copied to the `$model` after validation has passed? Why isn't this good enough?
Because Yii is protecting you from security surprises.
Though it may seem obvious to accept all the fields built into a form, during the controller's action (where Massive Assignment is taking place), Yii has no way of knowing which actual fields were part of a the form. and which are from a bad guy who is
*synthesizing* form input with a contrived POST in order to fool the application.
This is protecting against two scenarios:
1. Some models have attributes that are legitimate (in general), but not in a specific form. For instance, a change-your-password form for a user should accept the `password` and `passwordRepeat` attributes, but not the `isAdmin` attribute that makes him an administrator of the application. For a changePassword scenario, isAdmin should be marked explicitly `'unsafe'`.