Security

Resources

Protecting model attributes

Filament will expose all model attributes to JavaScript, except if they are $hidden on your model. This is Livewire's behaviour for model binding. We preserve this functionality to facilitate the dynamic addition and removal of form fields after they are initially loaded, while preserving the data they may need.

While attributes may be visible in JavaScript, only those with a form field are actually editable by the user. This is not an issue with mass assignment.

To remove certain attributes from JavaScript on the Edit and View pages, you may override the mutateFormDataBeforeFill() method:

protected function mutateFormDataBeforeFill(array $data): array
{
unset($data['is_admin']);
 
return $data;
}

In this example, we remove the is_admin attribute from JavaScript, as it's not being used by the form.

Edit on GitHub

Still need help? Join our Discord community or open a GitHub discussion

Enjoying Filament?

We are open source at heart. To allow us to build new features, fix bugs, and run the community, we require your financial support.

Sponsor Filament on GitHub