🔒 Add #[Locked] attribute to Livewire components to enhance security against client-side state tampering

2026-02-04 15:53:17 +00:00 · 2026-02-03 22:49:42 +01:00
parent 71ce57ddd3
commit 2957e89c79
13 changed files with 149 additions and 2 deletions
--- a/resources/views/livewire/association/project-support/form/create.blade.php
+++ b/resources/views/livewire/association/project-support/form/create.blade.php
@@ -3,6 +3,7 @@
 use App\Models\ProjectProposal;
 use App\Support\NostrAuth;
 use Livewire\Attributes\Layout;
+use Livewire\Attributes\Locked;
 use Livewire\Attributes\Title;
 use Livewire\Component;
 use Livewire\WithFileUploads;
@@ -25,8 +26,10 @@ class extends Component

    public $file = null;

+    #[Locked]
    public bool $isAllowed = false;

+    #[Locked]
    public bool $isAdmin = false;

    public function mount(): void
--- a/resources/views/livewire/association/project-support/form/edit.blade.php
+++ b/resources/views/livewire/association/project-support/form/edit.blade.php
@@ -3,6 +3,7 @@
 use App\Models\ProjectProposal;
 use App\Support\NostrAuth;
 use Livewire\Attributes\Layout;
+use Livewire\Attributes\Locked;
 use Livewire\Attributes\Title;
 use Livewire\Component;
 use Livewire\WithFileUploads;
@@ -14,6 +15,7 @@ class extends Component
 {
    use WithFileUploads;

+    #[Locked]
    public ProjectProposal $project;

    public array $form = [
@@ -27,8 +29,10 @@ class extends Component

    public $file = null;

+    #[Locked]
    public bool $isAllowed = false;

+    #[Locked]
    public bool $isAdmin = false;

    public function mount($projectProposal): void
--- a/resources/views/livewire/association/project-support/index.blade.php
+++ b/resources/views/livewire/association/project-support/index.blade.php
@@ -6,6 +6,7 @@ use App\Models\ProjectProposal;
 use App\Support\NostrAuth;
 use Flux\Flux;
 use Illuminate\Database\Eloquent\Collection;
+use Livewire\Attributes\Locked;
 use Livewire\Component;

 new class extends Component {
@@ -17,12 +18,16 @@ new class extends Component {

    public string $search = '';

+    #[Locked]
    public Collection $projects;

+    #[Locked]
    public bool $isAllowed = false;

+    #[Locked]
    public ?string $currentPubkey = null;

+    #[Locked]
    public ?ProjectProposal $projectToDelete = null;

    protected $listeners = [
--- a/resources/views/livewire/association/project-support/show.blade.php
+++ b/resources/views/livewire/association/project-support/show.blade.php
@@ -4,19 +4,25 @@ use App\Livewire\Traits\WithNostrAuth;
 use App\Models\ProjectProposal;
 use App\Models\Vote;
 use App\Support\NostrAuth;
+use Livewire\Attributes\Locked;
 use Livewire\Component;

 new class extends Component {
    use WithNostrAuth;

+    #[Locked]
    public $projectProposal;

+    #[Locked]
    public bool $isAllowed = false;

+    #[Locked]
    public ?string $currentPubkey = null;

+    #[Locked]
    public ?object $currentPleb = null;

+    #[Locked]
    public bool $ownVoteExists = false;

    public function mount($projectProposal): void