Guarded vs fillable, fight!
Joel Clermont (00:00):
Welcome to No Compromises, a peek into the mind of two old web devs who have seen some things. This is Joel.
Aaron Saray (00:08):
And this is Aaron.
Joel Clermont (00:16):
One of the eternal debates that I've seen carried out in the Laravel world is whether to use the fillable property on our models or to use the guarded property on our models. They're two different approaches and there's some strong opinions on both sides. Those that prefer being explicit and adding everything to fillable tend to maybe be a little bit more on the cautious side and the explicit side and are okay with a little extra work every time you want to expand that list. Those that use the guarded property might just say, "You know what? There's certain things I don't want to be filled but everything else can kind of default to being filled. And I'm okay with that little bit of risk because it gives me the flexibility to move faster and we have other processes in place to catch things that we wouldn't expect." That's how I summarize it, there's a lot more nuance to it than that. But, Aaron, where do you fall on that spectrum?
Aaron Saray (01:25):
Well, I think, kind of like you said, there may be reasons people choose both sides of that debate, guarded versus fillable. But I wouldn't necessarily say it's a difference of being explicit because both require you to define columns so they're both explicit in their own way.
Joel Clermont (01:41):
Unless...
Aaron Saray (01:41):
One is defining things that you wouldn't want and one is defining things that you would want. So it is a way of being explicit, just what direction are you coming from?
Joel Clermont (01:53):
What about the star? What if you throw the star in there?
Aaron Saray (01:56):
I mean, yeah, unless it's a star which is just... Everything just goes haywire then. You asked me where I am on that. I would say I'm a fillable type of person and the reason is because I happen to hang out in the security-minded area. It's a idea of whitelist versus a blacklist or allow versus deny. Things like that.
Joel Clermont (02:20):
Sure, yeah.
Aaron Saray (02:21):
If you've seen enough of these things over the years, you've seen that this denialist is always the source of places where people run into failure. Your denial list is only as strong as the things you can think of to deny. Whereas your allow list is strong because it's only the things you know that you'll want and that is it. Everything else is not available to you. That's kind of why I tend to aim on the fillable side, is I want to say that these are things that I am willing to allow in a sort of mass assignment coming from anywhere into my model because I want to define the things that I know are going to be in there. For me, it's kind of the same reason too as, are you a select star from table person or do you select specific columns that you want? If you look at the underlying queries from a lot of these ORMs, they're still getting all of the table columns and selecting those too. They're not just saying select star, I think there's a lot of, we'll call it your term, explicit things going on where things are named. They're maybe just automated but they are named because of these, both, security and performance considerations.
Joel Clermont (03:46):
Okay. I sort of knew this was your opinion before I asked the question but I like to hear you explain it. And I'll be honest that before you and I worked together, I probably leaned the other direction and you've been slowly winning me over. But having this mindset will help me to challenge you a little bit and to question some of the things I hear people say. And maybe even things I've said myself in the past, about why that might not be the way we want to do it in our team. With fillable, one common complaint I hear is that any time I want to add a property I now have to do it in multiple places, right? I have to remember to add it to the model, I'm probably adding it to a form request. Any thoughts on that? I mean, again, I kind of know what you're going to say but I'd like to hear it from your eloquent mouth.
Aaron Saray (04:46):
Tough cookies, buddy. I kind of recoil when I hear, "Well, that's more work," because it's not more... There's a difference between work and busy work. I think people sometimes will assume that this is busy work, when really it's work to do a specific thing that is part of your process for security and for accuracy, and things like that. It would be like saying, "I added another lock to my door. Oh, it's more work to lock that lock too." Not really, it's the thing you have to do to get use out of that feature. You have to twist that knob now to lock that door. I consider this more work sort of thing, yeah, it is one extra step but it's the step that you have to do in order to get the things that you've made an agreement to get. Which is the security and accuracy of your requests.
Joel Clermont (05:44):
Yeah, that's a fair way of looking at it. I think even people that would make this argument, they admit it's not really that much work. It's more of an annoyance than like, "Oh, this is going to take me hour." No, it's like you're adding one line to an array. Generally what I experienced sometimes, is I'd write a test and my test would fail and then I'd be like, "Oh, I forgot to add it to fillable, right?"
Aaron Saray (06:07):
Mm-hmm (affirmative).
Joel Clermont (06:07):
So yeah, you bump into that. It's a little annoying in the moment, but it's not that big of a deal.
Aaron Saray (06:13):
Well, actually at the time I've ran into that too and been a little irritated. But on reflection, it tells me my tests are working.
Joel Clermont (06:21):
That's true, yeah.
Aaron Saray (06:23):
If I don't add that and my test fails, that's one more reason I can sleep at night knowing that when I deploy my stuff all my tests pass because they are that stringent.
Joel Clermont (06:33):
Yeah, that's another side benefit. Here's another argument that I've heard brought up. Is, well our team already has standardized. We only fetch validated data from the request, so we never do request input, some field name. We always do request validated, some field name. The reason that's a counterargument is that, well we've already explicitly had to validate that field so therefore why wouldn't we want to pass it into a mass assignment on a model? What are your thoughts on that?
Aaron Saray (07:11):
Yeah, I understand that and that's a great thing. I'm glad to hear that teams are using the validated method off a request, that's what you should do.
Joel Clermont (07:20):
Yeah.
Aaron Saray (07:21):
But I will also say, show me a project that does everything the same a hundred percent of the time and I'm just going to quit programming. It's just not... As much as we say we do these things, we're all human programmers doing things and you won't always do it right the same way. And it might be a mistake, it might be a choice, it might be it slipped through that review process. If you look at a lot of the SQL injection type hacks and stuff like that, where people get their libraries broken into or hacked, or cross-site request forged, all these different things, right? It's because that project had a great plan to mitigate these risks but they missed it in one spot. They're like, "It's like we always prepare our statements for my SQL except for this one place where we didn't and then someone was able to find that and that's how they hack this website." So it's the same thing is. Is, first of all, I don't buy the we always do thing because you don't. Even if you have tools that help you, those tools can be mistaken or there's so many different ways, right?
Joel Clermont (08:28):
Mm-hmm (affirmative).
Aaron Saray (08:28):
The second that goes hand in hand with that is, great, I'm glad you're doing that. That very awesome, very calculated, secure and accurate thing. Here's another thing to do, security in depth, steps upon steps. I like to tell people, again it's like my house, is I lock my doors but I also have private who is information on my domains. I don't like to tell everyone where I live but I also lock my door so they can't get in.
Joel Clermont (08:54):
Okay.
Aaron Saray (08:55):
To me that's like saying, "I do one of these things." That's great and you absolutely should, why don't you do both?
Joel Clermont (09:02):
I know when I've challenged you on this in the past too. Another reason you gave me that helped me understand this too is while maybe most of our uses of mass assignment come from a form request in a controller not all of them do, right? So maybe there's places in the code like we're writing a command or something that isn't in that same controller action that can rely upon a validated payload from a form request. That would be another reason. You don't have to think of that. If you have that extra check in place on the model, you'll bump into it if you didn't explicitly already decide in advance this property should be fillable.
Aaron Saray (09:45):
Yeah, we've preached before about validating incoming data from third parties. But that's not always in place, so you might be doing an API requests somewhere too, getting data and then applying it to your model. What if that person decided, "Hey, why don't I send along the role field and see if they block that and I can make everyone admins. Ha-ha-ha."
Joel Clermont (10:09):
Well, this was helpful even for somebody maybe listening to this that doesn't agree completely. Hopefully it's food for thought. I know myself, I like the idea of sort of challenging my own opinions in programming because even if I don't change my opinion, maybe it's even strengthened my opinion. Because I understand even more why I like a certain thing I do. And of course, you always have to work within the constraints of your team. If somebody else on the team has made this decision for you that you use guarded, then well maybe you can share this podcast episode with them.
Recently I was cleaning out my garage and I'm a little ashamed to admit, there is a lot of junk that I have held onto far longer than I should have. But we were preparing for a construction project and so I had a dumpster in the driveway. You know what, now is the time to go through some of this. Just some examples of things that I really didn't need to keep. Credit card statements from 25 years ago. Probably not... the accounts closed, there's no reason to have it. And now it's annoying because that I actually don't throw in the dumpster. I have to shred that because some of it does have personal information on it. I had a few boxes of that. Old books, things like that. I had Windows 95 install disks. Okay, so that's, you know, a little trip down memory lane as I'm going through some of these things.
Aaron Saray (11:43):
That was a CD-ROM, right?
Joel Clermont (11:46):
Yes, it was a CD-ROM.
Aaron Saray (11:48):
All right.
Joel Clermont (11:48):
And it actually...
Aaron Saray (11:49):
With a big book in it to make the box heavier?
Joel Clermont (11:53):
No, this one actually said Chicago on it which was the code name for Windows 95 because it was a pre-release version. I don't even remember where I got it but I was pretty excited about it at the time. It has been thrown away. Something else I used to really enjoy, my PalmPilot. Remember those PalmPilots?
Aaron Saray (12:13):
I bought a color one.
Joel Clermont (12:15):
Okay. I bought this thing that you could clip to a notepad and write with a pen and it would transcribe it to your PalmPilot. It was still in the box, I had never opened it and I threw it away.
Aaron Saray (12:30):
Have you heard of this place called eBay?
Joel Clermont (12:33):
EBay. Some of these things I did look up and a few things I did keep. But a lot of it I'm like, "You know what, I'm never going to sell this." I had some old computers which we actually just got scrap metal costs for and old machines we deracked from a data center. I know you've moved recently, but have you come across anything like this in your life? Things that you held onto way past their useful life?
Aaron Saray (12:59):
Well, actually that's funny you brought it up and it sounds like we planned this, but we didn't. Today I was actually getting rid of something I've held on for way too long. First of all, I pay for movers to move because I'm either too old or too fat to do it myself. That means that everything you move, you have to actually... You end up paying to move it from place to place in time, right?
Joel Clermont (13:25):
Yeah.
Aaron Saray (13:25):
Or whatever they charge per hour. A couple of years ago, I had went to an Asian grocery store and got seaweed that is like little pieces in little boxes that you eat as a snack. And it's like10 or 12 pieces or something, and it's actually pretty good.
Joel Clermont (13:49):
Mm-Hmm (affirmative).
Aaron Saray (13:49):
I don't like a lot of that type of things but I like those. I'm a little weird, whereas when I like a thing, I then buy all of it. So I decided that I am now the seaweed eating guy. I decided this a couple years... Actually, a couple places ago. I went on Amazon and I found a great place. It was extra virgin olive oil seaweed, you know all this kind of stuff. Nothing bad in it and I subscribed and saved. I'd get a case of it every month. Well, it turns out after the first week, I just wasn't the seaweed guy anymore. I was like, "This is just too much seaweed snack." I was like, "Well, I'll take this up again." Take it up, like it's just some sort of thing I need to achieve. I let the Subscribe and Save go on for like four or five months, I ended up having like five cases of this stuff now in my pantry. It was on top of my cupboards and stuff and people would come over and be like, "You really like seaweed?" I'd be like, "Shut up." I cannot explain how this happened, I forgot about this whole entire thing and I came across avocado oil seaweed. I was like, "This is awesome." I ate some of it and the same pattern happened. Mind you, I have these seaweed boxes on top of my cupboard and I just don't see them anymore, right?
Joel Clermont (15:08):
Yeah.
Aaron Saray (15:08):
So I subscribed and saved this new thing. Now, suffice to say it, right before I ended up moving, I was like, "Wow, I'm not eating these avocado oil things," so I stopped that subscription. So I ended up packing up two moving boxes worth of cases of seaweed. They take up tons of room, but they're super light, so the guys are like, "What?" They pick up these boxes and I'm like, "Oh, don't. It's just like blankets or something." I said it was like pillows. Then I moved to my next place, which I was there for two and a half or three years and I bought out a case of them, and put them up in my cupboard. Then I moved to my new place now and that was about ten months ago. I ran out of space in my pantry so they were in my spare bedroom closet, these eight cases of seaweed.
Joel Clermont (15:57):
Oh boy.
Aaron Saray (15:58):
And just today I decided, "I'm going to throw these out."
Joel Clermont (16:02):
What's the shelf life on seaweed?
Aaron Saray (16:04):
I don't know, man.
Joel Clermont (16:06):
Was it even still edible?
Aaron Saray (16:09):
Yeah. I mean, maybe.
Joel Clermont (16:10):
That's not the point, I know. I'm sorry.
Aaron Saray (16:11):
I'm taking it out of the cases to throw it away. I noticed that all the cases have oil at the bottom... Not liquid oil, but oil splotches. Yeah, they're probably done being whatever they are. But who knows its seaweed, man.
Joel Clermont (16:29):
You'll make a raccoon pretty happy in the dumpster today.
Aaron Saray (16:31):
So far now it's two big black garbage bags full and I still have some more. Yeah, I do know about your scenario with keeping things maybe too long.
Joel Clermont (16:46):
Thank you for sharing.
Aaron Saray (16:46):
I think I might also have other problems in my life too.
Joel Clermont (16:49):
Oh boy.
Aaron Saray (16:52):
You might have noticed I snuck in something inside the podcast today, about how we recommend a certain form of validation. Validating third party. Well, we wrote a lot about that actually.
Joel Clermont (17:03):
If that sounds interesting to you, you can check it out in our eBook and accompanying exercises at our website nocompromises.io/book.
