Are you serving the site over https? Or are you using something like http://localhost?

Browsers ignore the secure flag of cookies on localhost. They treat *.localhost domains as special cases and don't enforce the secure requirement because it makes local development easier. But they should still respect cookie prefixes (if they're supported to begin with). If you're not using https, that would explain why your session cookies aren't working.

How?

When user goes to their roles page and go to a specific role panel, I will put the hidden roleId on forms, so I can check in authorization, if this user have this role, and if this role has the permission needed for the action. How is it? Is it a bad practice?

Don't do this. Anyone could modify the hidden input in the page source and spoof a different role.

You don't need to add any hidden inputs. Your backend already knows who the user is, and you can use Laravel's built-in authorization features. I strongly recommend you read the documentation first:

https://laravel.com/docs/13.x/authorization

But I can give you a quick rundown.

Below is a simple policy class for a Post model. It has just one authorization check: can a user edit a post. Editing is allowed if the user is a super-admin or the original author of the post.

class PostPolicy {
    public function edit(User $user, Post $post): bool {
        if ($user->role === 'super-admin')
			return true;
		 
		return $user->id === $post->user_id;
    }
}

Here's how you register the policy on the model:

use Illuminate\Database\Eloquent\Attributes\UsePolicy;

#[UsePolicy(PostPolicy::class)]
class Post extends Model {
    ...
}

Once you have the policy registered, you can do authorization checks in code, middleware, and Blade templates. Some examples:

// Authorization check in middleware:
Route::patch('/posts/{post}', [PostController::class, 'update'])
	->can('edit', 'post')
	->name('posts.update');
	
// Authorization check in a controller:
if ($request->user()->can('edit', $post)) {
	...
}

// Authorization check in Blade:
@can('update', $post)
	...
@endcan

The docs have all the details.

What kind of attack are you talking about?

Users can do anything with their own front end, so they can of course submit the form anywhere. That's why you validate and authorize everything server-side.

On the front end, what you need to worry about is code injection that could affect other users (XSS).

It may be caused by the asset preload headers set by Inertia. Together with other headers, they can exceed the default FastCGI buffer size of Nginx. You can try increasing the size in the http block in nginx.conf, e.g.

fastcgi_buffers 16 16k;
fastcgi_buffer_size 32k;

Then restart Nginx.

Why would your choice of session driver matter? Unless you use the cookie driver, it should make no difference whatsoever.

Nginx is telling you what's wrong: your backend (upstream) is sending response headers that are too big. Either increase the buffer size in Nginx or remove the AddLinkHeadersForPreloadedAssets middleware in Laravel. I don't recommend the latter if you care about performance.

It may be caused by the asset preload headers set by Inertia. Together with other headers, they can exceed the default FastCGI buffer size of Nginx. You can try increasing the size in the http block in nginx.conf, e.g.

fastcgi_buffers 16 16k;
fastcgi_buffer_size 32k;

Then restart Nginx.

That error message told you what's wrong and what you need to do. You're missing PHP's XML extension.

You didn't say what went wrong with Breeze and the starter kits.

View the page source. If you see fully rendered html, SSR works. If you see an empty div in the body, it's not working.

Note that only the first page is rendered on the server, and other pages are rendered client-side when you navigate to them. This is by design.

For AI there no like easy question or hard question, If you ask questions and it runs query from its database and calculate those data and pass it to you.

That's not how an LLM works. It doesn't run queries. It's a stochastic text predictor that produces text one token at a time. It's a pattern completion machine. The appearance of understanding is an illusion.

This is also true, But As if now you can get any kind solution with AI,

No. AI gives you text output. Nothing beyond that is guaranteed.

AI gets things wrong, hallucinates, tries to solve every problem locally rather than globally, etc. Some issues may be solvable with tooling, but some may be fundamentally beyond the capabilities of the current text predictor approach. These LLM's aren't AGI.

Then its like waste time to learn all these stuff which can be automated in future.

If it feels like a waste of time to learn what happens under the hood, software development might not be the right career path for you.

It only tracks the attributes of the model, not its relations.

I like to confirm these things straight from the source code because it's easy through an IDE. Here are some relevant methods from Model and the HasAttributes trait:

https://github.com/illuminate/database/blob/d59e7abde7bc62bb2a52b4fb0651327acf8d0d0a/Eloquent/Concerns/HasAttributes.php#L2260

https://github.com/illuminate/database/blob/d59e7abde7bc62bb2a52b4fb0651327acf8d0d0a/Eloquent/Concerns/HasAttributes.php#L2207

https://github.com/illuminate/database/blob/d59e7abde7bc62bb2a52b4fb0651327acf8d0d0a/Eloquent/Model.php#L1375

As of today, AI agents can't make proper apps on their own. What they can do is produce junk that passes tests. To use it for any proper product, you have to understand the code and correct its issues.

It's clear that AI will be useful, but the hype is completely overblown. If you were to go back and read the marketing from two years ago, you'd think you have no future in tech if you didn't use [insert any AI tool hot at the time]. Now those AI models are obsolete, and if you spent the time learning the fundamentals of computer science instead, you'd be much better off.

Some of the recent layoffs in the tech sector can be attributed to pandemic-era over-hiring and the general downturn in the US economy. But I'm sure the over-hyping of generative AI is partly to blame. I believe we'll see more service degradation over the following years.

What you should do ultimately depends on your goals. If you're a non-programmer who wants something on the screen, you may not need to understand the code. I just don't see anyone hiring an "AI prompter" who's helpless when something doesn't work.

"They" are being silly.

It's not good or bad. It's GraphQL. Do you actually need it?

What’s the fastest way to isolate whether the delay is coming from TTFB vs frontend rendering?

Run Lighthouse from Chrome's dev tools.

How are you serving the app? Just to be sure: are you building the assets, and not using any development tool (npm run dev or php artisan serve) in production?

In Apache, have you:

• Enabled http2 or http3? This is pretty important.
• Enabled traffic compression (gzip)?

What's the size of the largest javascript bundle when you build the assets?

The first things I'd do is open the browser dev tools and check the console for any errors, the network tab for any glaring issues, and then run Lighthouse or equivalent. You can analyze the waterfall graph in the Network tab, but I'd check the other stuff first.

Because it's poorly written, unformatted and doesn't even contain a question. If you make an effort to be understood, you're more likely to get replies.

I download the actual code no library:

That IS the library. It can have malware whether you install it via npm or manually.

In this case, attackers included a package install script to install the RAT. A direct download couldn't do that, but it could contain other malicious code.

Npm has an automatic audit for vulnerable versions, unlike direct downloads.

But how much damage was done, other servers could have been hit as well. Depending on how the malware was written.

That wasn't what I meant. This is a serious attack. My point was that there's nothing to wait for because the compromised versions were removed over 24 hours ago.

I have never even used NPM.

Ok, but the rest of the industry does. And you still use other package managers, such as Composer and, presumably, some Linux package manager. Those have suffered supply chain attacks just like this.

While these attacks are a nasty, in the real world you can't get away with a zero trust approach. You're relying on many layers of software just to run a web app. It takes vigilance.

Until it's resolved I wouldn't even trust NPM.

It was resolved long before this thread. The compromised version was up for 3 hours.

The lead maintainer's account was hacked, allowing the attacker to upload the compromised version.

It's not feasible to "not trust" package managers, be it npm, composer or pip. Downloading libraries directly from a CDN definitely isn't any safer.

How are you using the policy? Show your code.

https://laravel.com/docs/13.x/authorization#authorizing-actions-using-policies

Have you started reading the documentation? It explains the basics.

200 is not a redirect response.

When a browser receives a 302, it automatically redirects to the url in the Location header. That url may then return a 200.

If you see a 200 response, it's probably where you got redirected to. You need to preserve logs in the dev tools to see the intermediate redirection.

View the page source. If you see fully rendered html, SSR works. If you see an empty div in the body, it's not working.

Note that only the first page is rendered on the server, and other pages are rendered client-side when you navigate to them. This is by design.

In addition to queue workers, any Laravel worker that needs to be running all the time: Reverb, Pulse, Inertia's SSR server, etc.

You shouldn't add system services such as Nginx, MariaDB, or PHP-FPM. Those are already managed by systemd.

In addition to queue workers, any Laravel worker that needs to be running all the time: Reverb, Pulse, Inertia's SSR server, etc.

You shouldn't add system services such as Nginx, MariaDB, or PHP-FPM. Those are already managed by systemd.

what are you on about?

I have read the post, sure ... nothing is talking about this.

Then you didn't understand what you read.

They posted screenshots from laravel.com, the official website of Laravel.

Why do you have the FlightController class inside the UserController.php file ?

They don't. Laravel.com has.

Read the post.

They mixed up FlightController and UserController. It uses a $user variable that doesn't exist.

laravel.com

If you don't see it, they may be doing canary testing before full roll-out.

It's just sloppiness. I'm sure they'll fix it soon.

What kind of attack are you talking about?

Users can do anything with their own front end, so they can of course submit the form anywhere. That's why you validate and authorize everything server-side.

On the front end, what you need to worry about is code injection that could affect other users (XSS).

If the file is that big, you're trying to pass way too much data in the page props. The issue is not with Inertia, but with your backend code.

If you have an issue, create your own thread and show what you're doing in the controller.

Why iframes? Why not render the components normally in the same document, so you don't have to do all that messy cross-window communication just to get the height right.

Speaking of which, this is pretty bad:

setTimeout(sendHeight, 10);
setTimeout(sendHeight, 50);
setTimeout(sendHeight, 100);
setTimeout(sendHeight, 200);

I'm guessing they resorted to hacks like this because they used the wrong observer and were getting poor results. They needed ResizeObserver, not MutationObserver.

Each Blade component loads via iframe.

Uhh, what?

A general-purpose visual library might be difficult to implement. A dropdown menu is very different from a button, dashboard sidebar, or accordion. You could create a demo page, but it would have to be manually crafted based on what you want to showcase.

I'd probably just write UI design guidelines and include information about available components with visual examples.

P.S. Bootstrap 4 is quite old by now. I recommend migrating to version 5 at some point. Migration was pretty easy from what I remember: mostly just new features and some renamed classes.

I've never heard the term staging segment. What you need is a staging environment.

Staging is its own environment, similar to development and production. It runs its own instance of the app with its own database, storage, and everything.

The purpose of staging is to manually test changes in an environment that very closely matches production before you deploy them to production. You don't usually run automated tests in staging, as those are for development and CI environments. However, it should have everything you have in production, such as third-party API integrations.

In the case of a regular web app, the staging site would have its own domain or domains. You might run it on a separate server, in a Docker container (if you also use it in production), or even on a production server. Do whatever makes sense in your case.

For example, how and if to hide this from search engines and similar.

You can block external access in many ways. The easiest way is to add Basic authentication at the web server level. That way you'll be prompted for a password the first time you access the site. You could also use IP whitelisting, firewalls, VPNs, etc. But I wouldn't overthink it.

A modal is just a UI component on a page. It doesn't require any special architecture. You can implement normal CRUD routes while controlling the modal state in the UI code.

How to do all these routes correctly and how to organize the architecture and code correctly?

You're asking for someone to design the feature for you without seeing any of your code. If you want pointers, you're more likely to get help if you post your current solution.

I noticed that when loading the create/edit pages, if we upload all the data again, there is a delay.

What do you mean by this? There's always some delay when submitting data or loading pages over the internet.

Parse the data from the XML and write it to the database. You can use PHP's SimpleXML utilities for parsing.

I can't say much more with the given information.

Version 24.10 is no longer supported, and Ondřej's repository doesn't have packages for it.

I recommend always using LTS (Long-Term Support) versions of distributions. In this case it would be Ubuntu 24.04.

Version 24.10 is no longer supported, and Ondřej's repository doesn't have packages for it.

I recommend always using LTS (Long-Term Support) versions of distributions. In this case it would be Ubuntu 24.04.

Which version of Ubuntu are you running? Run this:

lsb_release -a

What were the exact commands you tried to run?

Are you generating these URLs on the fly, or do you want them to be user-editable?

Who are you asking? This thread is 4 years old.

That error output is quite unreadable in its unformatted state. This forum supports GitHub-style markdown. You should paste the errors in a code block using backtics:

```
Errors here
```

That said, I can see that you're (at least) missing the ext-bcmath PHP extension, which is required by moneyphp/money, which in turn is required by laravel/cashier. I'd start by installing the extension, then seeing if you have other dependency issues.

You didn't include a single error message in your post. "A slew of errors" isn't actionable.

I'd be really surprised if you couldn't run PHP. How would you even deploy the app without it? How would you run migrations, scheduled tasks, or queue workers?

Let's take a look at this part:

Even weirder: in my public folder, the "logs" folder is generated with an absolute path for the name: "C:\Users[my name][my website]\storage\logs"

Are you developing locally on Windows but deploying to a Linux server? If so, then this is definitely a cache issue: you executed some cache command on your local machine, then copied the compiled cache files to the production server. Linux tries to use your locally configured log path, but doesn't understand the Windows-style path name, hence the weird filename.

Try running php artisan optimize on the production server. That recompiles several caches (config, routes, etc.) using the environment variables of your live server. If that also fails, clear the previous caches first by running php artisan optimize:clear.