doefom, When developing #Laravel applications I'm always a little afraid of sending emails to actual customers or placing real orders by accident. So I came up with a habit that works super well for me and maybe this will suit you as well.
In my /config/mail.php I add a 'developer' email address and ensure in my AppServiceProvider all emails are sent to this address when in non-production environments no matter what. Makes me build and test stuff way more confidently 😁
Is there a better approach?
valorin, It's incredibly common to find hardcoded domains used for identifying admins, however this also makes it trivial to escalate privileges to admin! 😈
https://securinglaravel.com/security-tip-privilege-escalation-through-domain-wildcards/
#Laravel
peach, Having a lot of fun with orchestra/testbench for #laravel . Took a little bit to get my head around it but getting there.
denniskoch,
derickr, @denniskoch Xdebug doesn't care about this — your IDE might though!
denniskoch, @derickr Yes. Might have worded that wrong and it's for PhpStorm. But in the end „Xdebug“ won't work“ (in this IDE)
simonhamp, If anyone out there is looking to hire #laravel developers, I would love to help you find the perfect match
Send me a private message
markusstaab, (edited ) German Today I collaborated with ondrey on a fix for #phpstan which improves a previous performance fix, which caused perf regressions in a #laravel edge-case.
The new fix allows a 2-3 seconds instead of 2-3 minutes analysis in all mentioned cases.
Reported issue was https://github.com/phpstan/phpstan/issues/10979
valorin, Securing Laravel has now officially moved to Ghost from Substack! 🎉
I'll be sending out the first Security Tip written on Ghost later today, but first, it's time for a migration discount!
For the next 2 weeks, you can get 25% off a new Securing Laravel subscription! 🎂
outofcontrol, @valorin Congrats on completing the move!
dunglas, Yesterday I learned that it's possible to change the path where #Laravel apps store uploaded files, caches, logs, etc thanks to the LARAVEL_STORAGE_PATH env var. This is super convenient when distributing apps as standalone binaries using FrankenPHP.
cooptilleuls, (edited ) French Nous avons le plaisir d'annoncer la sortie d'@ApiPlatform 3.3 ! Découvrez avec @soyuka, le release manager du framework, ce que comporte cette nouvelle version :
🖍️ De nouvelles options ajoutées aux classes de métadonnées
✨ Une ouverture sur #Laravel
🔩 Et plein de nouveautés
https://les-tilleuls.coop/blog/sortie-de-api-platform-3-3Feedbacks grandement appréciés !
https://les-tilleuls.coop/blog/sortie-de-api-platform-3-3
sirber,
Crell, @sirber Pretty good overall, but does have a bit higher curve. If Laravel cribs from Ruby on Rails, Symfony is inspired by Java Spring Boot. When I want a major framework I usually go Symfony.
Crell, @sirber Oh, and on the faux decorators, those are Annotations. Hack to do the in docsblocks.
PHP now has native attributes and basically everyone who matters has switched over to them. Much nicer, natively supported.
pieceofthepie, #ProLifeTip. Put more effort into periodically reinforcing the learning that got you to this point in your career, because at some point you might spend a weekend implementing something from scratch and realising you've literally forgotten it all.
The wheel aren't rusty, they've fallen off.
How does one work with #Laravel?
What is a Dockerfile? WTF is Vite?
SamStrong, @pieceofthepie You can rebuild that knowledge pretty quick though. Your understanding of the underlying structures is still there.
pieceofthepie, @SamStrong oh yeah, it took a weekend not months/years.
But still, quite humbling to realise you're essentially back to the drawing board.
pieceofthepie, Been battling to get #LaravelSail working with rootless #Podman all evening and aren't having much luck. Boo to overly complex things.
It's so close to working well but the whole uid/gid mapping thing just falls apart when the container starts running things as different users. All of a sudden there're large parts of my source tree that I can't edit, not to mention being unable to use artisan make tools.
Nitrousoxide, @pieceofthepie
There's a few potential ways to handle userns issues.
The most straighforward one that usually solves it all is to just run the userns as keep-id
https://docs.podman.io/en/latest/markdown/podman-run.1.html#userns-modeif you do want to keep to seperate uid spaces there's uidmap which gives you a lot of control
https://docs.podman.io/en/latest/markdown/podman-run.1.html#uidmap-flags-container-uid-from-uid-amount
pieceofthepie, @Nitrousoxide I ended up going with that first one, but only after I'd moved away from #LaravelSail since it was doing something that would stop keep-id from working.
All good now.
doefom, Using the "Higher Order Messages" of #Laravel can save you some code. The following examples all filter for published posts in three different ways. I'm not yet sure which way I like the most. Probably (2) and (3).
michael, @doefom I don’t like 3. It requires significant mental overhead for me.
My favourite is 2 by a very large margin.
michael, @doefom actually I think in this particular instance my favourite would be option 4:
User::where('is_published',1)->get()
😜
j3j5, (edited ) Question for my #laravel fellas:
Do you think
Bus::dispatch()
anddispatch()
behave exactly the same? Should they?Boosts appreciated, obviously :)
michael, @j3j5 I actually managed to get a PR merged recently, but yeah, you gotta have quite thick skin (and be quite deferential, which doesn’t come naturally to me 😬)
j3j5, (edited ) @michael yeah, not my first rodeo and I keep reporting making PRs because I still benefit from them. I can understand from the other side, a repo like that isn't easy to manage, but that's why I try to make the issues and PRs as clear as possible. I think in this case Dries didn't read past the "not 100% sure if it's a bug" 🤷
valorin, Do you use Encrypted Environment files in Laravel?
I think they are great for some special use cases, but given the prevalence of API keys and credentials found in repos, is it worth it to use them all the time?
There was a bit of a debate about this last time I posted it, so I'm curious to see how we're all feeling about them now. Or maybe I'm just being a old security grump? 🧐
https://securinglaravel.com/p/security-tip-encrypting-environment
#Laravel
j3j5, @valorin I don't use them on any of my projects but I do see how they can be useful for a shared local .env
Prod credentials on the repo on the other hand? No way José!
doefom, Does Google index my web application when using #Laravel with #inertiajs (no SSR)? I read articles that say it doesn't, I read articles that say JS is no longer an issue for Google. What's true? Or can there even be a clear answer here?
shawnhooper, @doefom I have a site built w/ Inertia (no SSR), and it seems to show up in Google okay.
rolfdenhartog, Dutch I was asked to upgrade/update an old #laravel (5.3) project to the latest version of laravel and #php. I’ve already seen the code and let’s say it’s going to be interesting. A lot of customizations 😱 Not calling parent constructors which contain dependencies for example (probably not necessary). And also not even following certain Laravel standards. What did they use of the Laravel framework? Facades and helper functions 😑 (I really don’t like them, just use constructor DI 😉)
rolfdenhartog, Dutch @Crell Thanks! I’m aware of Laravel Shift 😊 I need permission first obviously. I’ve done several upgrades before on other projects. Shouldn’t be a big challenge/problem 😄
tvbeek, Dutch @rolfdenhartog if I'm correctly there is a #rector rule to transform the facades to DI. That can help you. (I found facades a bad part of the framework)
And maybe Laravel shift can help you.
Good luck upgrade!
doefom, #Laravel models can use casts to transform a value when either getting or setting it. In this case I use this feature to remove id, class and style attributes from an HTML string while I want to keep the other ones.
valorin, Let's checkout three of the configuration options available as part of Laravel 11's Automatic Password Rehashing: custom fields, disabling rehashing, and changing bcrypt rounds.
https://securinglaravel.com/p/security-tip-laravel-11s-automatic
matthewtrask, so @weaverryan has just announced he has an incurable type of brain cancer.
https://twitter.com/weaverryan/status/1777326885292114048
His family needs support and I know the #phpc loves to show up for people in the community. Please help out if you can.
paladin, German
paladin, German @flanger I did run the upgrade script locally and after all was finished and ran locally, I deployed it to PROD. It's just the basic forge deploy script with some more "restart queues" and so on things but after the deployment, all data was truncated in the db
flanger, German @paladin Okay, but it sounds like that’s a different error you encountered. Since the livewire upgrade script just replaces livewire code and doesn’t touch the database at all.
Anyways, hopefully you got backups 🙏
valorin, Limiting access to remote files is easy if you're using something like S3, but what about limiting access to local files?
Here's my solution: https://securinglaravel.com/p/security-tip-restricting-local-file
#Laravel
array, I'm pretty amazed with #Laravel+ #Vue+ #Inertia. In a nutshell, you don't have to write routes for your API endpoints and then routes in your frontend views, and then frontend methods to retrieve data and so on. You mostly work as if you were serving your server-side rendered views, write your models and controllers, and then you just pass the data as props to your Vue pages and components, and bang, done! I'm really having fun with my pet project. :)
valorin, One of my favourite security tricks is to install Canary Tokens in all of my apps. (I also put them in my live code talks too!)
They'll tell you if anyone is snooping around your code who shouldn't be! 🕵️
Kovah, Im about to implement achievements for @cloudhiker. Anyone know a great method to show toasts/popup notifications in the #frontend for unlock events, which do not involve setting up websockets with #Laravel Echo? 🥺
Kovah, @shaedrich Oh that looks interesting! Will have a deeper look if that could be used. Thanks!
Kovah, @shaedrich I would like to avoid websockets as long as possible. It adds too much complexity for a simple "Achievement unlocked" banner.