vguerrero

Software Engineer at Zaragoza, Spain

Member Since 4 Years Ago

Zaragoza

Experience Points
49,690
Total
Experience

310 experience to go until the next level!

In case you were wondering, you earn Laracasts experience when you:

  • Complete a lesson — 100pts
  • Create a forum thread — 50pts
  • Reply to a thread — 10pts
  • Leave a reply that is liked — 50pts
  • Receive a "Best Reply" award — 500pts
Lessons Completed
484
Lessons
Completed
Best Reply Awards
0
Best Reply
Awards
  • start your engines Created with Sketch.

    Start Your Engines

    Earned once you have completed your first Laracasts lesson.

  • first-thousand Created with Sketch.

    First Thousand

    Earned once you have earned your first 1000 experience points.

  • 1-year Created with Sketch.

    One Year Member

    Earned when you have been with Laracasts for 1 year.

  • 2-years Created with Sketch.

    Two Year Member

    Earned when you have been with Laracasts for 2 years.

  • 3-years Created with Sketch.

    Three Year Member

    Earned when you have been with Laracasts for 3 years.

  • 4-years Created with Sketch.

    Four Year Member

    Earned when you have been with Laracasts for 4 years.

  • 5-years Created with Sketch.

    Five Year Member

    Earned when you have been with Laracasts for 5 years.

  • school-in-session Created with Sketch.

    School In Session

    Earned when at least one Laracasts series has been fully completed.

  • welcome-newcomer Created with Sketch.

    Welcome To The Community

    Earned after your first post on the Laracasts forum.

  • full-time-student Created with Sketch.

    Full Time Learner

    Earned once 100 Laracasts lessons have been completed.

  • pay-it-forward Created with Sketch.

    Pay It Forward

    Earned once you receive your first "Best Reply" award on the Laracasts forum.

  • subscriber Created with Sketch.

    Subscriber

    Earned if you are a paying Laracasts subscriber.

  • lifer Created with Sketch.

    Lifer

    Earned if you have a lifetime subscription to Laracasts.

  • evangelist Created with Sketch.

    Laracasts Evangelist

    Earned if you share a link to Laracasts on social media. Please email [email protected] with your username and post URL to be awarded this badge.

  • chatty-cathy Created with Sketch.

    Chatty Cathy

    Earned once you have achieved 500 forum replies.

  • lara-veteran Created with Sketch.

    Laracasts Veteran

    Earned once your experience points passes 100,000.

  • 10k-strong Created with Sketch.

    Ten Thousand Strong

    Earned once your experience points hits 10,000.

  • lara-master Created with Sketch.

    Laracasts Master

    Earned once 1000 Laracasts lessons have been completed.

  • laracasts-tutor Created with Sketch.

    Laracasts Tutor

    Earned once your "Best Reply" award count is 100 or more.

  • laracasts-sensei Created with Sketch.

    Laracasts Sensei

    Earned once your experience points passes 1 million.

  • top-50 Created with Sketch.

    Top 50

    Earned once your experience points ranks in the top 50 of all Laracasts users.

  • Community Pillar

    Earned once your experience points ranks in the top 10 of all Laracasts users.

Level 10
49,690 XP
Jan
10
1 month ago
Activity icon

Awarded Best Reply on Security Concern About Livewire Render Method

For those people concern about the Livewire's security, here is the oficial answer:

"The internal routes would require some one calculating the fingerprint and the data checksum to be able to access them, and as the checksum is generated using your app key, that would be next to impossible without that key. If they have that key, then you have bigger problems

From a testing perspective though, if you are using the call method in your test, that actually calls the method on the component itself, like a unit test on the component. It doesn't go through the router, hence why you don't get any route level authorisation.

If you only need one level of authorisation for that route and component, then I would just add a normal get test where you test the route with authorisation at the top of your testing file to ensure that the route is restricted.

But if different actions have different authorisation levels, then I would be putting authorise in each of the methods, in which you should be able to test that when you use call in your Livewire test."

Thanks to @joshhanley on GitHub

See the full thread: https://github.com/livewire/livewire/discussions/2311

Activity icon

Replied to Security Concern About Livewire Render Method

For those people concern about the Livewire's security, here is the oficial answer:

"The internal routes would require some one calculating the fingerprint and the data checksum to be able to access them, and as the checksum is generated using your app key, that would be next to impossible without that key. If they have that key, then you have bigger problems

From a testing perspective though, if you are using the call method in your test, that actually calls the method on the component itself, like a unit test on the component. It doesn't go through the router, hence why you don't get any route level authorisation.

If you only need one level of authorisation for that route and component, then I would just add a normal get test where you test the route with authorisation at the top of your testing file to ensure that the route is restricted.

But if different actions have different authorisation levels, then I would be putting authorise in each of the methods, in which you should be able to test that when you use call in your Livewire test."

Thanks to @joshhanley on GitHub

See the full thread: https://github.com/livewire/livewire/discussions/2311

Jan
06
2 months ago
Activity icon

Replied to Security Concern About Livewire Render Method

That is a more complete Livewire component version. I'm trying to implement a user impersonation functionality. If I use auth on render, as I had before to implement the impersonation, all it's working perfectly.

The problem appears after the user clicks on impersonation, due to before the redirect happens, the render method it's called and the impersonated user can't access to this section, so 403 error appears and the redirect doesn't happen.

<?php

namespace App\Http\Livewire;

use App\Models\User;
use Illuminate\Foundation\Auth\Access\AuthorizesRequests;
use Livewire\Component;
use Livewire\WithPagination;

class Users extends Component
{
    use WithPagination, AuthorizesRequests;
    
    //Model
    public User $user;
    
    //Table values & filters
    public $search = '';
    private $paginate = 10;
    
    //another stuff 
    
    public function impersonate(User $user)
    {
        session()->put('impersonate', auth()->user()->id);
        auth()->loginUsingId($user->id);
        
        return redirect('/');
    }
    
    public function render()
    {
        $this->authorize('isAdmin', auth()->user());
        
        return view('livewire.users', [
            'users' => User::with('role', 'clients')
                ->search(['name', 'email', 'clients.name', 'role.name'], $this->search)
                ->orderBy('name')
                ->paginate($this->paginate)
        ]);
    }
}

So, my concern here is, is it secure to avoid authorization on render method if I have /users route protected on web.php file?

I'm asking that because Livewire creates internal custom routes like http://path/livewire/messages/users to works.

Activity icon

Replied to Security Concern About Livewire Render Method

That was my first thought but it has a problem.

Let me show you an example: If you have to authorize over a property defined on the component, it will throw an exception ErrorException : Typed property App\Http\Livewire\Messages::$project must not be accessed before initialization

<?php

namespace App\Http\Livewire;

use App\Models\Project;
use Illuminate\Foundation\Auth\Access\AuthorizesRequests;
use Livewire\Component;

class Messages extends Component
{
    use AuthorizesRequests;
    
    //Models
    public Project $project;
    

    public function mount(Project $project)
    {
	$this->authorize('view', $this->project);
        $this->project = $project;
        $this->resetPost();
    }
Activity icon

Replied to Security Concern About Livewire Render Method

It is a Full-Page component, I can't do that ;)

Activity icon

Started a new Conversation Security Concern About Livewire Render Method

Hi everyone,

I have a security concern about the render method.

Let me explain with an example. My render method looks like:

public function render()
    {
        $this->authorize('isAdmin', auth()->user());
        
        return view('livewire.users', [
            'users' => User::with('role', 'clients')
                ->search(['name', 'email', 'clients.name', 'role.name'], $this->search)
                ->orderBy('name')
                ->paginate($this->paginate)
        ]);
    }

My question here is, it's needed to authorize the render method if you check the policy on web.php routes? Btw, this example is the typical section only allowed for the admin role.

Thanks!