Comments (9)
PR #21 will address the concerns brought up in this issue. @mikebarlow what do you think?
from megaphone.
Hey, so yeah I think @axelzuzek concern is that the user model is visible when you inspect the internal API calls that Livewire performs. So for example from the Megaphone demo, when I run a mark as read command, here is a screenshot from the payload, you can see the serialized user model with ID exposed.
Thanks for the PR, I'll take a look in the next few days. My initial thought had been to remove the public $user
and try and do something with $request->user()
as I think the user session should be available within Livewire requests. That way we can remove the need for passing the serialized model or even a "notifiable_id" so there should be no issues with user model data being visible in the main request payload.
from megaphone.
request()->user()
is what's being used to set the public notifiable_id
property right now, so really we could just drop the public property all together and just use request user in the markAsRead function... I'll make a change to to PR and test in the morning. 👍🏻
from megaphone.
Hey Mike, just updated the component and it works flawless. Thx a lot!
from megaphone.
megaphone/src/Livewire/Megaphone.php
Line 11 in e0eb259
currently $user is a public variable and the user-model with all related models is serialized as json and visible for the user client side. This can be a major security issue. As far as I see $user is not used in the components templates so could you please change this to
class Megaphone extends Component { private $user; ...
this would solve the problem.
thx
Can you give an example or screenshot of this in practice? I cannot see anything on my front end for this when rendering the livewire component.
Often I see comments on posts with people bringing up this complaint and 9/10 times it's because they have barryvdh/laravel-debugbar installed and they're seeing the requests from that and mistaking that for the live wire request.
from megaphone.
Another thing to note here as per the Livewire 2.0 docs:
Note: For this to work, you need to have a validation entry in the
$rules
property for any model attributes you want to bind to. Otherwise, an error will be thrown.
Since there is nothing bound to $user
there will be no actual data passed.
The reason that it cannot be made private or protected is because of this:
protected and private properties DO NOT persist between Livewire updates. In general, you should avoid using them for storing state.
You should also note that while null data type is Javascript-friendly, public properties set to null DO NOT persist between Livewire updates.
So after we trigger a markAsRead()
we need to reload the announcements for the user and if user is set to protected or private it will be null
and the loadAnnouncements()
will return an empty collection.
from megaphone.
I've updated the PR with the suggestions from this conversation. Let me know what you think.
from megaphone.
any news here?
from megaphone.
Hey, sorry real life got in the way of getting this done.
Just finished up the readme changes and merged in now as 1.2.0
from megaphone.
Related Issues (18)
- Clear notifications console command doesn't load in custom types HOT 1
- Cannot use ::class with dynamic class name HOT 3
- Add a Listener to refresh component with pusher events (websockets) HOT 8
- Livewire multiple root error in production HOT 2
- Marking unread notification HOT 2
- Admin component needs to merge in types HOT 1
- UI modifications. HOT 3
- Livewire 3 HOT 5
- Anonymous User Notifications HOT 4
- Route HOT 1
- Use wireui/heroicons for a more consistent looking iconset? HOT 1
- Multiple Notifiable models HOT 1
- Create blade directive to making including the megaphone css easier
- Improve the mark as read UX
- Fix readme line for megaphone css
- Add note regarding Alpine JS include
- Add link to example demo
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from megaphone.