Sign in Get started

This episode is for members only

Sign up to access "Learn Livewire" right now.

Already a member? Sign in to continue

Playing

18. Authorization basics

Episodes

0%

Your progress

Total: 2h 52m
Played: 0m
Remaining: 2h 52m

Join or sign in to track your progress

01. Introduction

02. Installing Livewire

03. Properties and methods

04. Rendering a list of books

05. Nesting and keying components

06. Diving straight into forms

07. Using form classes

08. Validating forms

09. Real-time validation

10. Loading states

11. Event basics

12. Getting components talking to each other

13. Using a magic action to toggle edit state

14. Editing a book

15. Dynamic event names

16. Re-using form objects

17. The magic parent action

18. Authorization basics

19. Calling Livewire from JavaScript

20. Detecting property updates with a lifecycle hook

22. Pagination and customising it

23. Adding a search component with URL query parameters

24. Using Alpine if you don’t need Livewire

25. Listening for Livewire events in Alpine

Transcript

00:00

So even though we're not asking the user to provide the ID of the book that they want to be deleted,

00:04

that would be pretty silly, we need to treat things like this as user input. Remember, this stuff is on the client side. Anyone can modify this book ID and have it sent down to our application. And at the moment, what we're not doing is authorizing the deletion of a book.

00:22

We're not checking that it belongs to that user. So technically, I'm not going to demonstrate this. We could come over and change around this value in here, 29, and delete someone else's book, which is not a good idea.

00:34

So always treat stuff like this, like deleting, updating, as user input. We don't need to do that for updating because the model will automatically be protected. But when we're specifically grabbing an ID, looking something up, and performing some sort of action on it,

00:49

we do need to treat it like that. So we're going to go ahead and introduce some authorization here and see how easy this is with Livewire. Okay, so to do this, we're going to go and make out a policy.

01:00

And that's going to be our book policy. And this is just going to govern the rules around books and who can do what. So if you've not worked with policies in Laravel before, basically, we can get rid of this constructor.

01:13

And we can provide out a list of methods here that map to different actions that we can perform on books. So for example, delete. We want to return a true or a false value from this method,

01:24

whether the current user is allowed to delete the book that you are giving this method. So the user is implicit. It's already passed in here. We get that in there.

01:34

We don't need to pass that in ourselves. And we'll also pass a book in here. So let's think about how do we know a user owns a book. Well, in this case, we just want to make sure the user ID equals the book's user ID.

01:48

That's basically how we know a user owns a book. So can a user delete a book if their IDs match? Then yes, they can. So we need to register this policy.

01:57

We do that over in the auth service provider over in app and providers. And we can register this just here. So we're going to go ahead and set the book class. That's our model to the book policy.

02:09

That's the policy that we've just created. And we're done. So we can now just start to use this policy to authorize this action. So we do this directly within delete book.

02:19

Now, to authorize this, we do this. This, authorize. And that's a method on LiveWire's component class. So this isn't anything to do with the standard Laravel stuff.

02:30

It's like a proxy for the authorize method. And in here, we give the action. And then we give the book. Now, we don't have the book because we need to look it up first.

02:40

So we can do this first. Look the book up. There's nothing wrong with looking a book up by its ID in terms of security. But then before we delete this, we authorize this.

02:50

So remember, I said that the user is implicit. When we call this authorize method, the user will automatically be passed through and the book we are passing in just here. So that will authorize whether we're allowed to delete this or not.

03:04

Let's try this out. And we're going to try this out with another user as well. So I'm going to go ahead and delete this book. Sure enough, it works.

03:10

So I am authorized to delete this. Obviously, because I own these books. They are in my account. And we're only grabbing the books that I have.

03:19

So let's go over to our database. And let's change around one of these books for another user. So we don't have any other users. Let's duplicate this down.

03:28

And we'll switch this to Mabel. So we'll save that out. Mabel has an ID of 2. So I'm going to take this another book and switch that over to her.

03:39

So we shouldn't see that now in there. Because obviously, we're listing a list of books just from us. But I can modify this. So over to the database, let's grab the ID of this book.

03:51

It's 27. And this book, if we hit inspect element on this, is 26. I can switch this over to 27. And then when I click on this, this action is unauthorized.

04:06

So what I've done is modified this on the front end to try and delete a book that doesn't belong to me. But because we now have that authorize action in there, it means that we're just seeing an error now.

04:17

And really importantly, that has not been deleted from the database. So this is the very basics of authorization in Livewire. There are a couple of more advanced things we could do. But most of the time, you'll just be calling authorize.

04:29

Whether you use a policy or specifically use a gate, it doesn't really matter. But this tends to be how we authorize things. So important to remember, whenever we're doing anything like this, where we can specifically modify the ID on the client side, we always authorize an action before we do something.

Episode summary

In this episode, we dive into the basics of authorization in Laravel Livewire, especially focusing on why it's super important to protect actions like deleting a book. We start by discussing how, even though a user might not actually enter the ID of the book to be deleted, anything sent from the client can be tampered with, so we can't blindly trust it. Without proper checks, someone could potentially delete another user's book—definitely not what we want!

To prevent this, we set up a policy in Laravel that governs who can perform certain actions on a "Book". You’ll see how easy it is to create a BookPolicy, define a method for deleting, and register it in the AuthServiceProvider. The check is simple: only the book's owner is allowed to delete it.

Next, we wire this up in our Livewire component. Before deleting a book, we fetch it by its ID, then run the authorize method to ensure the current user has permission to proceed. As a quick demo, we try deleting a book with another user (by manipulating things on the client side) and—thanks to our policy—Livewire throws an unauthorized error and the database record remains untouched.

By the end of this episode, you'll see just how important (and easy) it is to authorize actions like deletions, and you’ll know exactly where to put these checks in your own Livewire apps.

Episode discussion

No comments, yet. Be the first!