Add filterable field for preventing security issues

src/Exceptions/FilterableException.php

@@ -0,0 +1,8 @@
+<?php
+
+namespace N7olkachev\LaravelFilterable\Exceptions;
+
+class FilterableException extends \Exception
+{
+
+}

src/Filterable.php

@@ -2,11 +2,17 @@
 
 namespace N7olkachev\LaravelFilterable;
 
+use N7olkachev\LaravelFilterable\Exceptions\FilterableException;
+
 trait Filterable
 {
     public function scopeFilter($query, array $filterData = [])
     {
         foreach ($filterData as $key => $value) {
+            if (!$this->isFilterable($key)) {
+                throw new FilterableException("[$key] is not allowed for filtering");
+            }
+
             if (is_null($value) || $value === '') continue;
 
             $scopeName = ucfirst(camel_case($key));
@@ -20,4 +26,11 @@ public function scopeFilter($query, array $filterData = [])
             }
         }
     }
+
+    protected function isFilterable($key)
+    {
+        $filterable = $this->filterable ?: [];
+
+        return in_array($key, $filterable);
+    }
 }

tests/FilterableTest.php

@@ -3,6 +3,7 @@
 namespace N7olkachev\LaravelFilterable\Test;
 
 use Carbon\Carbon;
+use N7olkachev\LaravelFilterable\Exceptions\FilterableException;
 use N7olkachev\LaravelFilterable\Test\Models\Page;
 
 class FilterableTest extends TestCase
@@ -45,4 +46,11 @@ public function it_works_for_arrays()
         $pages = Page::filter(['title' => ['Third page']])->get();
         $this->assertEquals($pages->count(), 0);
     }
+
+    /** @test */
+    public function it_throws_on_not_allowed_field()
+    {
+        $this->expectException(FilterableException::class);
+        Page::filter(['foobar' => 'foo']);
+    }
 }

tests/Models/Page.php

@@ -14,6 +14,11 @@ class Page extends Model
         'created_at',
     ];
 
+    protected $filterable = [
+        'title',
+        'created_after'
+    ];
+
     public function scopeCreatedAfter($query, $time)
     {
         return $query->where('created_at', '>', $time);