You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The relationships: An Account model has a many-to-many relationship to a Collection model. A collection belongs to a single user.
The collection model has a scope ownedByCurrentUser() which simply applies a ->where('user_id', Auth::user()->id) constraint.
It looks like this on the front end:
User 1:
User 2:
As you can see, each user see's their own collections.
The problem occurs when one user adds an account to one of their collections, and then another user tries to add the same account to one of their collections. The second user will fail with validation errors.
If you view the query that is sent to the database I believe it's because the exist rule is trying to validate against all collections that the account belongs to regardless of the scoped query and since this could be another user's collections, it fails.
For example, in the first screenshot above, User 1 had added this account to two collections. In the second screenshot, User 2 tries to add that same account to one of their collections and they get the following:
The query that is sent to the database looks like this:
selectcount(distinct "id") as aggregate
from"collections"where"id"in ('3', '5', '10')
and"user_id"='2'
When I believe it should look like this:
selectcount(distinct "id") as aggregate
from"collections"where"id"in ('10')
and"user_id"='2'
The reason I have this exists rule constraint is because I don't want a user to be able to modify another user's collections like if they modified the ajax request somehow maliciously.
Expected behavior
I would expect that the only data that is validated is the data that is constrained by the modified query.
Steps to reproduce
Clone reproduction repo, install and migrate (sqlite database).
Navigate to /admin
Login as test1@example.com / password.
Click the accounts resource.
Click the collections action on an account.
Assign at least one collection to the account.
Login as test2@example.com / password.
Click the collections action on the same account in step 4.
Try to assign at least one collection to the account and observe the validation error.
I believe the issue is because the loadStateFromRelationshipsUsing() is not applying the modified query constraint. This is likely because the saveRelationshipsUsing() is using sync which requires the entire array rather than only the validated data.
Package
filament/filament
Package Version
v3.2.62
Laravel Version
v11.1.1
Livewire Version
v3.4.9
PHP Version
PHP 8.2.16
Problem description
I have the following form in an
AccountResource
table action (take note of the modified relationship query and added constraint to the exists rule).The relationships: An
Account
model has a many-to-many relationship to aCollection
model. A collection belongs to a single user.The collection model has a scope
ownedByCurrentUser()
which simply applies a->where('user_id', Auth::user()->id)
constraint.It looks like this on the front end:
User 1:
User 2:
As you can see, each user see's their own collections.
The problem occurs when one user adds an account to one of their collections, and then another user tries to add the same account to one of their collections. The second user will fail with validation errors.
If you view the query that is sent to the database I believe it's because the
exist
rule is trying to validate against all collections that the account belongs to regardless of the scoped query and since this could be another user's collections, it fails.For example, in the first screenshot above, User 1 had added this account to two collections. In the second screenshot, User 2 tries to add that same account to one of their collections and they get the following:
The query that is sent to the database looks like this:
When I believe it should look like this:
The reason I have this exists rule constraint is because I don't want a user to be able to modify another user's collections like if they modified the ajax request somehow maliciously.
Expected behavior
I would expect that the only data that is validated is the data that is constrained by the modified query.
Steps to reproduce
/admin
test1@example.com
/password
.test2@example.com
/password
.Reproduction repository
https://github.com/ryanmortier/filament-issue-exists-rule/
Relevant log output
No response
Donate 💰 to fund this issue
The text was updated successfully, but these errors were encountered: