I realise this is a somewhat general question. I guess it can be best summarised as "if I’m not binding any user-facing properties directly to models, do I need to be worried about those models changing"?
A Laravel / Livewire project I’m working on has various levels of admin user, so at a number of stages I need to check if a user has the authority to do what they’re trying to do.
For reasons I won’t go into, I’m using a custom method to do this, rather than Laravel’s gates, but I’m happy that that process returns the correct answer (ie. "yes, they can do this" or "no, they can’t do this").
So, for example, an admin with the correct rights can administer another user. Using a practical example, they can administer the user’s listings at an event for which they have the relevant rights. Bulk administration of the listings is handled through a Livewire Modal component.
The modal is mounted with the relevant seller and event :
public $seller;
public $event;
public function mount(User $seller, Event $event) {
$this->seller = $seller;
$this->event = $event;
}
At the point of rendering, the logged-in user is retrieved and their permissions are checked. If they have the right permissions, they are shown the relevant modal, if not, they are shown a "you don’t have the rights to do this" modal :
public function render()
{
$user = Auth::user();
if(!$user->eventRolesInclude(['owner', 'relevantrights'], $this->event)) {
return view('main.forbidden');
}
return view('livewire.admin.modals.specific.modal');
}
The modal itself contains only a close button, and a button to do the relevant action. It uses the $seller property only to customise the wording on the page (number of items, name of seller, etc.).
When the admin clicks the action button, it then calls a function within the component to carry out the necessary action :
public function doSomething()
{
$admin = Auth::user();
if(!$admin->eventRolesInclude(['owner', 'relevantrights'], $this->event)) {
$this->alert('warning', "You do not have the right role to do this");
return false;
}
$listings = $this->seller->getListingsForEvent($this->event);
// Go on and do stuff
I guess my question is this :
-
If I’m not using the $seller model (in this example) for anything other than outputting the seller’s name in the modal, do I need to worry about it being changed in any way? In the doSomething() method can I be confident that there is no way that $this->seller will return any seller other than the one instantiated in the mount() method? Are there any circumstances under which someone with knowledge of developer tools on the front of the site could alter the property?
-
Likewise, if I’m obtaining the logged in user in the render() method, do I need to obtain it again in the doSomething() method? Or would it be more efficient to obtain the $admin user in the mount() method, assign it to a public property, and then call that public property using $this->admin in the doSomething() method?
2
Answers
It might helps you
https://www.youtube.com/watch?v=SG5g4bU4ZKU
In this video he is talking about security and speed
You should have a read in the official docs. It states some security concerns and practices you should be aware of.
But to give a quick rundown:
$sellervariable has no sensitive information, having it as public property is not dangerous. It won’t just randomly be modified if the user cannot perform actions. As long as every function that could potentially be called is validated, you don’t have to worry. You can make functionsprotectedorprivateif you don’t want to validate them. That way, they can only be called server side (not by someone injecting awire:click="publicFunction"in the DOM).selectstatements to hide sensitive information, you should be using computed properties.Hope this clears things up.