I think if you're new go for it and give a month or two of studying. I think you're lucky to have it because it wasn't around when I started and everything has changed so much especially front end.

For me Laracasts has been worth every penny, and if you are missing something you can always contact the Laracasts team and ask for a more specific course on something, and if you are lucky they will create it.

Policies is great to keep all authorizations at the same place.

A service is to handle business logic, you shouldn't write any authorization code in a service.

For example, in my code :

• the services only execute the code for the business logic : get, store, update, delete, ...

• the policies contain the authorizations

• the controllers check for authorizations via the policies and then execute an action via the services

Have you tried hasFile with the thumbnail?

The dd ends execution.

Dis you tell apache new htdocs location?

DocumentRoot "/xampp/apache/htdocs"
<Directory "/xampp/apache/htdocs">

Are you sure Livewire 4 was pulled in?

When user goes to their roles page and go to a specific role panel, I will put the hidden roleId on forms, so I can check in authorization, if this user have this role, and if this role has the permission needed for the action. How is it? Is it a bad practice?

Don't do this. Anyone could modify the hidden input in the page source and spoof a different role.

You don't need to add any hidden inputs. Your backend already knows who the user is, and you can use Laravel's built-in authorization features. I strongly recommend you read the documentation first:

https://laravel.com/docs/13.x/authorization

But I can give you a quick rundown.

Below is a simple policy class for a Post model. It has just one authorization check: can a user edit a post. Editing is allowed if the user is a super-admin or the original author of the post.

class PostPolicy {
    public function edit(User $user, Post $post): bool {
        if ($user->role === 'super-admin')
			return true;
		 
		return $user->id === $post->user_id;
    }
}

Here's how you register the policy on the model:

use Illuminate\Database\Eloquent\Attributes\UsePolicy;

#[UsePolicy(PostPolicy::class)]
class Post extends Model {
    ...
}

Once you have the policy registered, you can do authorization checks in code, middleware, and Blade templates. Some examples:

// Authorization check in middleware:
Route::patch('/posts/{post}', [PostController::class, 'update'])
	->can('edit', 'post')
	->name('posts.update');
	
// Authorization check in a controller:
if ($request->user()->can('edit', $post)) {
	...
}

// Authorization check in Blade:
@can('update', $post)
	...
@endcan

The docs have all the details.

My opinion :

• it depends on what you need, but it's not a bad pratice to have one controller for the superadmin and one controller for the users

• the same logic can be applied to views and routes

• to check if a user has the permission to do an action, it's not a good practice at all to only check the role id in the frontend, you have to check authorizations in the backend and the best way to do that is to write policies, inside policies you can check the roles and/or the permissions

What you name authority is a role.

In pratice a user can have one or several roles and each roles comes with some permissions. It's generally not recommended to assign permissions directly to users. The best way is to assign permissions to roles and to assign roles to users. But for fine permissions control, you can occasionally assign permissions to users if it's really needed in your application, I don't do so, but sure some cases can justify to do so.

If you need help to do all this, you can have a look at this Laracasts series.

https://laracasts.com/series/mastering-permissions-in-laravel

When user goes to their roles page and go to a specific role panel, I will put the hidden roleId on forms, so I can check in authorization, if this user have this role, and if this role has the permission needed for the action. How is it? Is it a bad practice?

I agree with @jussimannisto do not use hidden fields. I suggest view some video series here on authentication and authorization. And review the documentation.

These checks are best done server side.

I also suggest taking this training: https://laracasts.com/series/laravel-from-scratch-2026

Also I gave an idea here: https://laracasts.com/discuss/channels/general-discussion/how-should-i-structure-authorization-for-owner-super-admin-community-admin-and-dynamic-roles-in-a-laravel-social-network?page=1&replyId=975679

Having same controller but a separate method for user verses admin.

Can you show the fields /s you want to use?

Edit:

I suggest backing up the database first, otherwise you could loose data.

I've already done this in the past too.

Rather than upgrading, it's sometimes faster to create a new application.

Here is what I did :

• backup all data
• keep all views and actions
• create a new application
• implement all functionalities, one by one

@iamyannc Hey. I’ve done a lot of these type of re-factoring and re-platforming projects in the past. The way I’d approach it would be like this:

• Get the application running on a newer version of PHP. So upgrade to 7, fix any usage of deprecated APIs and libraries, and then when possible upgrade to PHP 8 and do the same.
• Once you’ve got the vanilla PHP application running on a modern version of PHP, create a new Laravel application and dump your legacy application’s file in the public directory.
  • Rename Laravel’s index.php file to something like laravel-index.php to avoid clashing with your legacy index.php file.
  • Tweak your .htaccess or nginx config to just load a file if it exists, or fall back to Laravel’s front controller.
• You should now have a Laravel application, but with no requests actually being routed through it to start off with, and instead requests hitting your legacy application as before.
• Slowly start re-factoring your legacy application to Laravel controllers, views, etc. Do this slowly, and one discreet part at a time. Trying to re-factor too much in one go just leads to lots of files being touched, none of them 100% converted, and the dreaded feeling of, “Urgh, I need to git reset this and start over.”
• As you do the above, the number of files from the legacy application will decrease, and the number of Laravel files increase, until you’re left with nothing of the legacy application.

Happy for you to reach out if you have any questions. DM me on Twitter 𝕏 (https://x.com/martinbean) and I can share my email address.

I had tried the Spatie Roles & Permissions package, but now I write my own roles and permissions code.

Do you want more details ?

Don't get hung up on the terms. A "Super Admin" means nothing to me except:

They can or cannot do something.

Think like this:

• Authentication = Logged in
• Authorization = What they can or cannot do with their role /s

I have an app where the admin can view but not otherwise mess with bookkeeping.

Learn about query scopes also, that way in a query a user can edit only their data but an admin can view all and edit certain fields.

DO NOT let AI write Authentication and Authorization, do this yourself. Go through the (yes steep) learning curve on this stuff. It gets easier once learned.

In a large app I do use separate controller methods, like:

• index is general user
• indexAdmin for admins of course

And separate views. In a smaller app I might not have the separation. This is highly subjective.

Note that the documentation covers this well and there are entire videos on this right here on laracasts.

Also before doing anything and while converting at various times:

Backup your data

You can't multiply that by 1000. At one time a best answer was 500 not 1000.

Careful getClientOriginalExtension() is unsafe, see:

https://symfonycasts.com/screencast/symfony-uploads/file-naming#play

https://symfonycasts.com/screencast/symfony-uploads/upload-in-form#play

https://symfonycasts.com/screencast/symfony-uploads/uploader-service#play

What happens if you do the example here: https://image.intervention.io/v4/getting-started/frameworks

80% of the work takes 20% of the time. The other 20% of the work takes 80% of the time.

What you are saying to me is that you have 5-10% of your project complete by AI, by stating that 90-95% of the goals are met, which is the easy stuff, and what about the other 5-10%?

Who is going to spend the rest of the 90-95% of the time that still needs to be done?

For AI there no like easy question or hard question, If you ask questions and it runs query from its database and calculate those data and pass it to you.

That's not how an LLM works. It doesn't run queries. It's a stochastic text predictor that produces text one token at a time. It's a pattern completion machine. The appearance of understanding is an illusion.

This is also true, But As if now you can get any kind solution with AI,

No. AI gives you text output. Nothing beyond that is guaranteed.

AI gets things wrong, hallucinates, tries to solve every problem locally rather than globally, etc. Some issues may be solvable with tooling, but some may be fundamentally beyond the capabilities of the current text predictor approach. These LLM's aren't AGI.

If you're serious I would chill and watch the courses. But you need a path you want to go down, usually which front end you're using is the big question.

I'd follow the courses. I wasted Hella time not watching 😞

I understand your opinion.

Well ... some years in the past, calculators have been created ... and accounting softwares too.

But you still need to have an accountant.

This answer I know will do no good, but when using AI it should be to assist, refactor and things like that. You should know how to already code the stuff if there was no AI. And authorization and authentication should not be done by AI.

But not saying you will, but there are people all over the World who will use AI the wrong way.

I recently used AI to help refactor some python code. But I know the math and can identify if all is correct.

Did you follow the deployment chapter. Also did you make sure to set for production and not install debugging tools in production.

https://laravel.com/docs/13.x/deployment

Also read over https://laravel.com/docs/9.x/deployment#main-content

That's why I miss the good old pencil and paper days. Or at least the old MSDOS days.

I download the actual code no library:

quote

!function(e,t){"object"==typeof exports&&"undefined"!=typeof module?module.exports=t():"function"==typeof define&&define.amd?define(t):(e="undefined"!=typeof globalThis?globalThis:e||self).axios=t()}(this,(function(){"use strict";function e(e){var r,n;function o(r,n){try{var a=e[r](n),s=a.value,u=s instanceof t;Promise.resolve(u?s.v:s).then((function(t){if(u){var n="return"===r?"return":"next";if(!s.k||t.done)

///   much more in the file just example

unquote

And use like old school:

<script type="text/javascript" src="<?php echo asset('assets/js/axios.min.js'); ?>"></script>

I only use what comes with laravel in vendor. And now I probably won't trust axios, I will go back to using fetch js.

I have never even used NPM.

The compromised version was up for 3 hours.

But how much damage was done, other servers could have been hit as well. Depending on how the malware was written.

I am pretty sure Jeffrey had to tweak something.

There was a hack: https://thehackernews.com/2026/03/axios-supply-chain-attack-pushes-cross.html

Until it's resolved I wouldn't even trust NPM.

One good thing I don't install axios I just download it, grab this URL:

https://unpkg.com/axios/dist/axios.min.js

And download it and use direct. I never use NPM anyway. But after the second time I've seen problems with axios, I will probably just stick to using fetch js.

The docs explain this: https://laravel.com/docs/13.x/authorization#policy-methods

in example see this line:

return $user->id === $post->user_id;

In words: If the logged in users id matches the users id of that post is true they can edit. If not they cannot edit.

I suggest another study of policies. https://laravel.com/docs/13.x/authorization#creating-policies

You can also use RBAC see https://martinbean.dev/blog/2021/07/29/simple-role-based-authentication-laravel/

I use something similar. Once a good RBAC system is learned (yes high learning curve) an outside package isn't needed.

Edit:

You can also use gates instead of policies.

Also security can be one of the trickiest aspects of an app to setup. Never depend on AI for coding correct security.

But once learned well, it gets easier.

You can't go by the URL, you ensure the auth id is used and they are authorized to perform the edit. For example edit their own data but not someone else's.

There are also numerous videos here on authentication and authorization.

Basically

• Authentication = logged in
• Authorization = what they can or cannot do.

A query scope can be used to (for example) to show only the authenticated user their data only. Never get this from the URL but from Auth::user()->id. I use the facade.

The exception, and just example, a manager is editing employee data. They click edit in the table next to Joe Smith to bring up the edit page. So in case of a known good manager when editing (who is authorized), the URL id is used.

Whereas if Joe Smith is editing his data, do not allow the data from the URL.

He fixed it.

Using a cheap shared hosting package purely for email.

You will probably have problems with quotas on a shared host but won't hurt to check with their sales.

https://laracasts.com/path is a good start.

how can I avoid losing the existing data?

No matter what you do, Backup first.

Thanks for confirming.

I checked with Firefox 149.0 on Windows and I confirm the problem.

Also "Forum" link in a header doesn't work, browser just doesn't navigate to https://laracasts.com/discuss (other nav links work fine).

Has anyone checked Firefox? I'm referring to full link:

https://laracasts.com/discuss gives blank screen.

But https://laracasts.com/ works

Anyone else having problems with the forum portion only with Firefox? Other areas are working fine.

I have seen this in larger companies where there are dedicated personnel to deal with the servers. The company my son works for has a large I.T. team and their own servers. He is a programmer for the company.

But even a smaller company can still have a dedicated server off site.

I think Envoyer is still good for multiple servers. But the latest Forge will probably meet your needs.

I found it, he just has a tab showing auth example for route and one for controller, there is nothing wrong with that. Just quick preview stuff.

What link goes to that page?

That site doesn't look like laravel.com.

I did use Gemini a while back to convert some python code where a bunch of the code had regular analytic geometry.

Like:

THETA = Z34 / abs(Z34) * (math.acos(X34 / math.sqrt(abs(X34) ** 2 + abs(Z34) ** 2)))
# quite a few lines similar to this.

I ask it to convert to numpy for the rotation between bends, it gave me:

def calculate_bend_rotation(p_prev, p_curr, p_next, p_after_next):
    v1 = p_curr - p_prev
    v2 = p_next - p_curr
    v3 = p_after_next - p_next

    n1 = np.cross(v1, v2)
    n2 = np.cross(v2, v3)

    dot_product = np.dot(n1, n2)
    magnitudes_product = np.linalg.norm(n1) * np.linalg.norm(n2)

    if magnitudes_product == 0:
        return 0

    angle_rad = np.arccos(np.clip(dot_product / magnitudes_product, -1.0, 1.0))

    direction_indicator = np.dot(v2, np.cross(n1, n2))

    if direction_indicator < 0:
        angle_rad = -angle_rad

    return np.degrees(angle_rad)

After testing (real World) by actually bending a tube, the code was correct. I also compared results with the original tube bending program, results were the same.

But this was just for fun as a lot of Freecad forum users use the numpy library. And I also have been converting sheet metal layout code from basic to python. Things like elbows, ogee offsets, rectangular to round ducts, etc. I know the analytic geometry math but am new to numpy. It just deals with things like multiplying matrices and matrix operations behind the scenes. The same math, but a big time saver done for you.

I admit I was surprised how accurate Gemini was. But I did not get it correct the first time, you have to ask a certain way.

I think it was this series: https://laracasts.com/series/leveraging-ai-for-laravel-development

I don't recall now which video.

One package is https://github.com/MohmmedAshraf/laravel-translations But I don't know if it's Laravel 13 ready yet. There are others as well.

Have a look at Jeffrey's recent AI series where he discusses his choices.

Whether eloquent or not, as long as the user of the api has instructions on it's usage.

One I have used in the past: https://partner-apis.adoptapet.com/#cfd44286-aa56-47f0-b647-b19858c27bf2

Notice they give instructions on usage. It's simple if only returning say 15 or 20 items as JSON. But let the user know how to do pagination if a lot of results with an example query string.