跳到主要内容
版本:Next

Security

Protecting model attributes

Filament will expose all model attributes to JavaScript, except if they are $hidden on your model. This is Livewire's behaviour for model binding. We preserve this functionality to facilitate the dynamic addition and removal of form fields after they are initially loaded, while preserving the data they may need.

While attributes may be visible in JavaScript, only those with a form field are actually editable by the user. This is not an issue with mass assignment.

To remove certain attributes from JavaScript on the Edit and View pages, you may override the mutateFormDataBeforeFill() method:

protected function mutateFormDataBeforeFill(array $data): array
{
unset($data['is_admin']);

return $data;
}

In this example, we remove the is_admin attribute from JavaScript, as it's not being used by the form.