Do we have to guess your question ?

Question?

I accidentally stabbed myself in the foot. Is there any way to unstab my foot? I only have two feet and this one is used to kick the cat so I cant afford to lose it.

Funny comparison ;).

Is this a how to use maatwebsite/excel article?

Look over: https://docs.digitalocean.com/products/snapshooter/how-to/back-up-managed-databases/

But I backup at least daily depending on the app.

I regularly use AI.

When I started using AI, I was impressed about the results, but there was frequently errors, too frequently. I lost time because of using AI.

Now I'm using AI only to save time for writing code I already know how write it, but much faster to write by the AI : I say to AI exactly what I want and there are less errors, I just have to correct some mistakes.

If you don't know what you need, the AI is not the best approach to code.

You must know what you need, then you can explain the AI exactly what you need, and the AI executes.

According to me you don't need EDA for your example.

I often say to me that I should always code as easy as possible (KISS principle).

I think you should learn how to code, and then use AI as a tool, and not as a developer.

Honestly, ignore the AI on this one. What you’ve written is a solid, clean Action class. It’s readable, it handles the transaction properly, and it gets the job done.

EDA is fantastic for decoupling, but it’s absolute overkill for a simple stock adjustment. You only really need to go down that road if a stock change needs to trigger a bunch of unrelated side effects like hitting a third-party API, sending emails, or clearing remote caches and you don't want to bloat your main logic.

Be careful using AI, it gets side tracked a lot. And do not use it for authentication or authorization, write your own. Know how to do these things without AI before using it as a tool.

Also see my reply here: https://laracasts.com/discuss/channels/ai/gemini-vs-claude-with-boost?page=1&replyId=975232

But I knew what to check to ensure AI was correct.

If AI seems side tracked, start over. Otherwise it gets more side tracked.

I agree with @martinbean and I see no reason to obsfucate code.

The framework part is open source anyway. And any application done in laravel, any knowledgeable developer can duplicate anyway.

If really concerned about "hiding" code I suggest have a SaaS application, that way an end user never actually sees the code.

It's already protected if the repo is private. Besides any modern app can be duplicated anyway by a knowledgeable developer.

Take this forum, can you see all the code used, no. Not counting the fact he shares how it's done. But if it was a private repo you couldn't.

I would suggest have a private repo for the client.

Just FYI I do my own. For Windows I download the zip files for mariadb, apache, php. Setting up is a little learning curve at first, but once you do it, it becomes easy.

And Linux, just install what you need.

Never used a MAC.

Digital Ocean has some good how to articles.

Has it been checked for safety?

I clicked the link and after getting out of the error page it seems laracast.com looses scroll. So somewhere Jeffrey seems to still have a CSS error.

I think if you're new go for it and give a month or two of studying. I think you're lucky to have it because it wasn't around when I started and everything has changed so much especially front end.

For me Laracasts has been worth every penny, and if you are missing something you can always contact the Laracasts team and ask for a more specific course on something, and if you are lucky they will create it.

Policies is great to keep all authorizations at the same place.

A service is to handle business logic, you shouldn't write any authorization code in a service.

For example, in my code :

• the services only execute the code for the business logic : get, store, update, delete, ...

• the policies contain the authorizations

• the controllers check for authorizations via the policies and then execute an action via the services

Have you tried hasFile with the thumbnail?

The dd ends execution.

Dis you tell apache new htdocs location?

DocumentRoot "/xampp/apache/htdocs"
<Directory "/xampp/apache/htdocs">

Are you sure Livewire 4 was pulled in?

When user goes to their roles page and go to a specific role panel, I will put the hidden roleId on forms, so I can check in authorization, if this user have this role, and if this role has the permission needed for the action. How is it? Is it a bad practice?

Don't do this. Anyone could modify the hidden input in the page source and spoof a different role.

You don't need to add any hidden inputs. Your backend already knows who the user is, and you can use Laravel's built-in authorization features. I strongly recommend you read the documentation first:

https://laravel.com/docs/13.x/authorization

But I can give you a quick rundown.

Below is a simple policy class for a Post model. It has just one authorization check: can a user edit a post. Editing is allowed if the user is a super-admin or the original author of the post.

class PostPolicy {
    public function edit(User $user, Post $post): bool {
        if ($user->role === 'super-admin')
			return true;
		 
		return $user->id === $post->user_id;
    }
}

Here's how you register the policy on the model:

use Illuminate\Database\Eloquent\Attributes\UsePolicy;

#[UsePolicy(PostPolicy::class)]
class Post extends Model {
    ...
}

Once you have the policy registered, you can do authorization checks in code, middleware, and Blade templates. Some examples:

// Authorization check in middleware:
Route::patch('/posts/{post}', [PostController::class, 'update'])
	->can('edit', 'post')
	->name('posts.update');
	
// Authorization check in a controller:
if ($request->user()->can('edit', $post)) {
	...
}

// Authorization check in Blade:
@can('update', $post)
	...
@endcan

The docs have all the details.

My opinion :

• it depends on what you need, but it's not a bad pratice to have one controller for the superadmin and one controller for the users

• the same logic can be applied to views and routes

• to check if a user has the permission to do an action, it's not a good practice at all to only check the role id in the frontend, you have to check authorizations in the backend and the best way to do that is to write policies, inside policies you can check the roles and/or the permissions

What you name authority is a role.

In pratice a user can have one or several roles and each roles comes with some permissions. It's generally not recommended to assign permissions directly to users. The best way is to assign permissions to roles and to assign roles to users. But for fine permissions control, you can occasionally assign permissions to users if it's really needed in your application, I don't do so, but sure some cases can justify to do so.

If you need help to do all this, you can have a look at this Laracasts series.

https://laracasts.com/series/mastering-permissions-in-laravel

When user goes to their roles page and go to a specific role panel, I will put the hidden roleId on forms, so I can check in authorization, if this user have this role, and if this role has the permission needed for the action. How is it? Is it a bad practice?

I agree with @jussimannisto do not use hidden fields. I suggest view some video series here on authentication and authorization. And review the documentation.

These checks are best done server side.

I also suggest taking this training: https://laracasts.com/series/laravel-from-scratch-2026

Also I gave an idea here: https://laracasts.com/discuss/channels/general-discussion/how-should-i-structure-authorization-for-owner-super-admin-community-admin-and-dynamic-roles-in-a-laravel-social-network?page=1&replyId=975679

Having same controller but a separate method for user verses admin.

Can you show the fields /s you want to use?

Edit:

I suggest backing up the database first, otherwise you could loose data.

I've already done this in the past too.

Rather than upgrading, it's sometimes faster to create a new application.

Here is what I did :

• backup all data
• keep all views and actions
• create a new application
• implement all functionalities, one by one

@iamyannc Hey. I’ve done a lot of these type of re-factoring and re-platforming projects in the past. The way I’d approach it would be like this:

• Get the application running on a newer version of PHP. So upgrade to 7, fix any usage of deprecated APIs and libraries, and then when possible upgrade to PHP 8 and do the same.
• Once you’ve got the vanilla PHP application running on a modern version of PHP, create a new Laravel application and dump your legacy application’s file in the public directory.
  • Rename Laravel’s index.php file to something like laravel-index.php to avoid clashing with your legacy index.php file.
  • Tweak your .htaccess or nginx config to just load a file if it exists, or fall back to Laravel’s front controller.
• You should now have a Laravel application, but with no requests actually being routed through it to start off with, and instead requests hitting your legacy application as before.
• Slowly start re-factoring your legacy application to Laravel controllers, views, etc. Do this slowly, and one discreet part at a time. Trying to re-factor too much in one go just leads to lots of files being touched, none of them 100% converted, and the dreaded feeling of, “Urgh, I need to git reset this and start over.”
• As you do the above, the number of files from the legacy application will decrease, and the number of Laravel files increase, until you’re left with nothing of the legacy application.

Happy for you to reach out if you have any questions. DM me on Twitter 𝕏 (https://x.com/martinbean) and I can share my email address.

I had tried the Spatie Roles & Permissions package, but now I write my own roles and permissions code.

Do you want more details ?

Don't get hung up on the terms. A "Super Admin" means nothing to me except:

They can or cannot do something.

Think like this:

• Authentication = Logged in
• Authorization = What they can or cannot do with their role /s

I have an app where the admin can view but not otherwise mess with bookkeeping.

Learn about query scopes also, that way in a query a user can edit only their data but an admin can view all and edit certain fields.

DO NOT let AI write Authentication and Authorization, do this yourself. Go through the (yes steep) learning curve on this stuff. It gets easier once learned.

In a large app I do use separate controller methods, like:

• index is general user
• indexAdmin for admins of course

And separate views. In a smaller app I might not have the separation. This is highly subjective.

Note that the documentation covers this well and there are entire videos on this right here on laracasts.

Also before doing anything and while converting at various times:

Backup your data

You can't multiply that by 1000. At one time a best answer was 500 not 1000.

Careful getClientOriginalExtension() is unsafe, see:

https://symfonycasts.com/screencast/symfony-uploads/file-naming#play

https://symfonycasts.com/screencast/symfony-uploads/upload-in-form#play

https://symfonycasts.com/screencast/symfony-uploads/uploader-service#play

What happens if you do the example here: https://image.intervention.io/v4/getting-started/frameworks

80% of the work takes 20% of the time. The other 20% of the work takes 80% of the time.

What you are saying to me is that you have 5-10% of your project complete by AI, by stating that 90-95% of the goals are met, which is the easy stuff, and what about the other 5-10%?

Who is going to spend the rest of the 90-95% of the time that still needs to be done?

For AI there no like easy question or hard question, If you ask questions and it runs query from its database and calculate those data and pass it to you.

That's not how an LLM works. It doesn't run queries. It's a stochastic text predictor that produces text one token at a time. It's a pattern completion machine. The appearance of understanding is an illusion.

This is also true, But As if now you can get any kind solution with AI,

No. AI gives you text output. Nothing beyond that is guaranteed.

AI gets things wrong, hallucinates, tries to solve every problem locally rather than globally, etc. Some issues may be solvable with tooling, but some may be fundamentally beyond the capabilities of the current text predictor approach. These LLM's aren't AGI.

If you're serious I would chill and watch the courses. But you need a path you want to go down, usually which front end you're using is the big question.

I'd follow the courses. I wasted Hella time not watching 😞

I understand your opinion.

Well ... some years in the past, calculators have been created ... and accounting softwares too.

But you still need to have an accountant.

This answer I know will do no good, but when using AI it should be to assist, refactor and things like that. You should know how to already code the stuff if there was no AI. And authorization and authentication should not be done by AI.

But not saying you will, but there are people all over the World who will use AI the wrong way.

I recently used AI to help refactor some python code. But I know the math and can identify if all is correct.

Did you follow the deployment chapter. Also did you make sure to set for production and not install debugging tools in production.

https://laravel.com/docs/13.x/deployment

Also read over https://laravel.com/docs/9.x/deployment#main-content

That's why I miss the good old pencil and paper days. Or at least the old MSDOS days.

I download the actual code no library:

quote

!function(e,t){"object"==typeof exports&&"undefined"!=typeof module?module.exports=t():"function"==typeof define&&define.amd?define(t):(e="undefined"!=typeof globalThis?globalThis:e||self).axios=t()}(this,(function(){"use strict";function e(e){var r,n;function o(r,n){try{var a=e[r](n),s=a.value,u=s instanceof t;Promise.resolve(u?s.v:s).then((function(t){if(u){var n="return"===r?"return":"next";if(!s.k||t.done)

///   much more in the file just example

unquote

And use like old school:

<script type="text/javascript" src="<?php echo asset('assets/js/axios.min.js'); ?>"></script>

I only use what comes with laravel in vendor. And now I probably won't trust axios, I will go back to using fetch js.

I have never even used NPM.

The compromised version was up for 3 hours.

But how much damage was done, other servers could have been hit as well. Depending on how the malware was written.

I am pretty sure Jeffrey had to tweak something.

There was a hack: https://thehackernews.com/2026/03/axios-supply-chain-attack-pushes-cross.html

Until it's resolved I wouldn't even trust NPM.

One good thing I don't install axios I just download it, grab this URL:

https://unpkg.com/axios/dist/axios.min.js

And download it and use direct. I never use NPM anyway. But after the second time I've seen problems with axios, I will probably just stick to using fetch js.

The docs explain this: https://laravel.com/docs/13.x/authorization#policy-methods

in example see this line:

return $user->id === $post->user_id;

In words: If the logged in users id matches the users id of that post is true they can edit. If not they cannot edit.

I suggest another study of policies. https://laravel.com/docs/13.x/authorization#creating-policies

You can also use RBAC see https://martinbean.dev/blog/2021/07/29/simple-role-based-authentication-laravel/

I use something similar. Once a good RBAC system is learned (yes high learning curve) an outside package isn't needed.

Edit:

You can also use gates instead of policies.

Also security can be one of the trickiest aspects of an app to setup. Never depend on AI for coding correct security.

But once learned well, it gets easier.

You can't go by the URL, you ensure the auth id is used and they are authorized to perform the edit. For example edit their own data but not someone else's.

There are also numerous videos here on authentication and authorization.

Basically

• Authentication = logged in
• Authorization = what they can or cannot do.

A query scope can be used to (for example) to show only the authenticated user their data only. Never get this from the URL but from Auth::user()->id. I use the facade.

The exception, and just example, a manager is editing employee data. They click edit in the table next to Joe Smith to bring up the edit page. So in case of a known good manager when editing (who is authorized), the URL id is used.

Whereas if Joe Smith is editing his data, do not allow the data from the URL.

He fixed it.

Using a cheap shared hosting package purely for email.

You will probably have problems with quotas on a shared host but won't hurt to check with their sales.

https://laracasts.com/path is a good start.