search

wire-elements / livewire-strict

Livewire Strict helps to enforce security measures and prevents you from leaving sensitive public properties unprotected.
https://wire-elements.dev/blog/livewire-strict-enforce-additional-security-measures-to-livewire
MIT License
48 stars 0 forks source link

lockProperties() interferes with 3rd party plugins #1

Closed tpetry closed 1 month ago

tpetry commented 1 month ago

3rd party components e.g. Filament can't work when lockProperties() is activated because they (obvioulsy) don't use the package and have not unlocked their components yet. So it would be great if e.g. all components in vendor could be excluded.

For components that extend vendored components it would be tricky too. So maybe an additional opt-in/opt-out for specific App namespaces would be great. But that would probably make Livewire less strict when the strict mode is configured bad? So any non-vendir should maybe just use #[Unlocked] for the whole class?

PhiloNL commented 1 month ago

Thanks @tpetry 😄 Working on a solution for this 🙌🏻

DanjBethel commented 1 month ago

Any traction on this? Currently having this same issue with Laravel Pulse

PhiloNL commented 1 month ago

@tpetry @DanjBethel added this: https://github.com/wire-elements/livewire-strict/releases/tag/2.0.0

By default, it will only lock components inside the App\Livewire\* namespace. If you want you can override this:

LivewireStrict::lockProperties(components: [MyComponent::class, 'SomeNamespaces/*']);