Refactoring With Create 0:00Here's our next technique. If I scroll down to the store method, notice that we validate the request, and then we build up an article, assign the attributes, and persist it. Well, as it turns out, there's a number of ways to clean this up. First, I could use the article create method. And here, we can provide an array to assign everything. Now when we co-create, it will assign the attributes and save it all in one go, which means I could remove this. However, there's one little gotcha to be aware of. Let's take a look in the browser. Understanding Mass Assignment 0:32However, there's one little gotcha to be aware of. Let's take a look in the browser. If we try to create a new article here, and submit it, it's going to fail. We get this new error, add title to fillable property to allow mass assignment. So what on earth is mass assignment? Okay, this is something Laravel protects you against. Mass assignment vulnerabilities refer to situations when an unexpected and undeclared parameter is passed from the request and which ultimately changes a record in your table. So again, out of the box, Laravel wants you to be explicit, but I will show you a way to turn this off. Defining Fillable Fields 1:04So again, out of the box, Laravel wants you to be explicit, but I will show you a way to turn this off. For now, if you were explicit, you'd add a property called fillable, and here, you may specify all values that can be mass assigned. In this case, the title, the excerpt, and the body. So now, if I come back and I give it a refresh, it'll work once again. Okay. However, as long as you're safe and you don't end up in situations where, for example, you grab everything from the request, all, and you pass it to article create or user create, things like this can be very dangerous.grab everything from the request, all, and you pass it to article create or user create, things like this can be very dangerous. Because think about it. Sure, it'll update the user's name and their email, but what about whether or not the user, for example, is an administrator, or if they are a paying subscriber, or if their account is active? Those are the sorts of things you should never allow the user to change. You should be in control of it. But if you pass everything from the request, well, it's trivial to add additional parameters as part of that request.But if you pass everything from the request, well, it's trivial to add additional parameters as part of that request. So you could say, well, sure, I'm going to update the user's name to the new name, but I'm also going to sneak in this subscriber status and set this to true as part of it. And even though I'm not paying, and even though I'm a guest, well, without you knowing, I was able to update my subscriber status. So again, these are the sorts of scenarios that Laravel is protecting you against. However, as long as you're not doing this, you are free to reverse this. You could say, I got it. I don't need Laravel to help me here.You could say, I got it. I don't need Laravel to help me here. I understand what I'm doing. So don't guard anything. I will be in charge of that. So now if we give this another run, it's all going to work because now Laravel is not guarding anything. So it's entirely up to you how much automatic protection you want. Okay. So with that in mind, let's go back to our articles controller. Using Validated Attributes 2:57Okay. So with that in mind, let's go back to our articles controller. And now this is a little cleaner. However, we can even take it one step further. Notice the duplication here. We declare title, excerpt, and body. And then we reference it again, title, excerpt, body. And you can imagine for a form with 10 different fields, you end up with a lot of duplication. So as it turns out, after the validation is successful, it will return the validated attributes from the function call.So as it turns out, after the validation is successful, it will return the validated attributes from the function call. So take a look at this. If I return validated attributes, and we come back, we try to create a brand new article, we will pass all the validation, and sure enough, we get this array. Notice this array is identical to what we want here, which means I could replace this array entirely with the validated attributes, and everything will still work. Or I could even go one further and inline this entirely, and we end up with that. Validate the request, and then pass those validated attributes to the create method. And this is what we end up with. Updating With Validated Data 3:59Validate the request, and then pass those validated attributes to the create method. And this is what we end up with. All right. Let's now scroll down and do the same thing to the update method. Now in this situation, we're not going to call article create again because we already have an existing article. So in these situations, we instead call an update method, and we pass the attributes. Okay. So yet again, you could save this to attributes or article, anything you want, and then you could reference it here, or yet again, inline it.So yet again, you could save this to attributes or article, anything you want, and then you could reference it here, or yet again, inline it. Now I could remove all of this, like so. So again, I want to be clear. Notice that the create method assigns the attributes and saves it to the database all in one go. And the same is true for update. It assigns the attributes and persists it all in one go. Finally, one last piece of the puzzle. Notice in both of these cases, our validation is identical. Extracting Shared Validation 4:51Finally, one last piece of the puzzle. Notice in both of these cases, our validation is identical. Now this won't always be the case. Sometimes your update validation will be slightly different, but in this case, identical. So with that in mind, why don't we extract this to a method, and we'll call it validate article, like so. So now validate article declares it one time, and we can then reference it here as well as the update method. And now if we do add a new field to our form, we only have to update the validation rules in one place.And now if we do add a new field to our form, we only have to update the validation rules in one place. Now there is a different approach using form request classes, but I'm going to save that for a future episode. So for now, this looks pretty good to me.
