RedBean PHP: Is there a way to protect a database column from being changed? (ex: insertion_date )

Question

Already used as many ORMs as you can imagine. At moment I'm in a love / hate crush with RedBean PHP. Here we go... after a few hours studying it I got a doubt about whats the better way to solve this very basic problem (best way means, in this case, the way that better fits to the RedBean's ease of use philosophy):

It's very common to limit access to some properties of our classes so we can prevent certain kinds of wrong data manipulation. This is usually accomplished with good use of getters and setters. But as far as already know about RedBean, there are no formal setters in the native classes, only some public properties that can be changed and persisted in the database.

What I would like to do is to protect some properties from being changed manually, so I can avoid other programmer to make any kind of weirdness like:

$beam->insertion_date = 'yesterday';
R::store($beam);

That field should never be changed after the row insertion, obviously, but we can't just trust no one will do that. Is there a way to achieve something like turning the insertion_date a protected property or making it inaccessible in some way?

I have a feeling that the best way to do that is using $beam->setMetadata() and declare that a given property shouldn't be changed, but I don't know how to achieve this in RedBean and still couldn't find enough information in the official manual. Any help is appreciated.

Thanks for reading.

Answer 1

The only bulletproof way to protect your db from unauthorized or unintended modifications is by using the privileges system of your database (GRANT and REVOKE) by using different user profiles with specific privileges down to the column level, etc.

Maybe not easy to implement, but by keeping privileges in (customized) code there will always be loopholes.

Answer 2

Another way is to set the data type of the column to a type that has the status specified.

For instance if you change varchar(255) to varchar(254) RedBeanPHP will spot the change and leave the column alone because it's now a specified column, for int you can use INT(10) for instance. Special types will never get converted: ENUM/DATE etc.

Answer 3

Found a solution!

1. On your model, store the state of a bean on a private property every time a bean is loaded from the database.

2. Before put things back in the database, test if the values that shouldn't have been changed were changed programatically.

   • In positive case, Throw an exception or add any other event to warn the programmers that they are trying to change probably by mistake a field that shouldn't be changed.

This is how the example model should look now:

class Model_book extends RedBean_SimpleModel{

    protected $before = false;

    public function open(){
        if($this->bean->id){
            $this->before = clone($this->bean);
        }
    }

    public function update(){
        if($this->bean->id){
            if($this->before->insertion_date != $this->bean->insertion_date){
                throw new exception ("The insertion_date can't be changed.");
            }
        }
    }
}

So now the following code would result in exception:

$beam->insertion_date = 'yesterday';
R::store($beam);

Note: the use of RedBean's meta information API would be a better solution, but it wouldn't make sense to add (only) this validation criteria without add a complete validation layer on top of RedBean. On the other hand, add a custom full validation would become useless in case a built-in validation get added to the ORM in the near future (I bet it will happen), so I'll leave it as it is for now.

Hope that helps.