This trait is used to protect public livewire properties from being changed by the user by default in frontend via Livewire JS calls. See: https://www.reddit.com/r/laravel/comments/q0qrri/livewire_extremely_insecure/
If you want to 'expose' methods and properties you must use the $callable and $mutable properties to do so. By default every property defined in $rules or rules() is considered mutable.
This trait will throw an exception if mutable and callable properties are non-existant on your component;
- WithPropertyProtection is used to protect the properties of the component
- WithMethodProtection is used to protect the methods of the component
By keeping them public the data will not be lost on subsequent livewire updates. They can still be initially set on a components via @livewire(). But not changed after that.
For methods the case is less clear, I just like to see one explicit list at the top of my component so I know authorization is needed there.
Example:
class YourLivewireComponent extends Component
{
use WithProtection;
public $mutable = ['myMutableProp'];
public $callable = ['myCallableMethod'];
public $myMutableProp = "foo";
public $myImmutableProp = "bar";
public function myCallableMethod() { ... }
public function myUncallableMethod() { ... }
...
}
Livewire.all()[0].$myImmutableProp = 'evil'
Exception:
You cannot change the value of the immutable property 'myImmutableProp'. Allow it by setting the `$mutable` array.
Livewire.all()[0].myUncallableMethod()
Exception:
Method 'myUncallableMethod' is not allowed to be called. Allow it by setting the `\$callable` array.
Hey @camya It's a bad idea to place them in the vendor dir. When composer updates livewire you'll loose the traits... Best copy them somewhere in your own app folder (with a corresponding namespace) and reference in your (base) components. Or make a package if your want
I have a str() helper indeed, replaced it with your code. Edit: I see str() is now part of laravel 9.