Filament•2w ago

How safe is filament on the frontend?

Using the forms on a public facing page. Does it require custom laravel input validation? Anything I should definitely pay attention to? I'm calling my own create function in a custom livewire component with the submit button. Or maybe it's a question of how safe livewire is?

5 Replies

toeknee•2w ago

It's all 100% safe. But how you build it will be the issue. For example, your create function.. who can create? What anti-spam checks are you doing etc. Validation is native Laravel and some serverside so again safe

toeknee•2w ago

For good practice Laravel Daily is a good example: https://filamentexamples.com/project/appointment-reservation-public-form

Filament Examples

Appointment System with Public Form

This project demonstrates three Filament features: How to show dynamic radio button values (timeslots) in live-mode based on the values in other fields (date). How to re-use the admin panel form outside of admin panel, on a public page. How to use FullCalendar to show the calendar of tasks

DomOP•2w ago

Thanks! So if I understand it correctly, in this code the additional validation is unnecessary?

        if (! Auth::check()) {
            abort(403, 'You must be logged in to create a listing.');
        }

        $validated = validator($data, [
            'title' => ['required', 'string', 'max:255'],
            'description' => ['string'],
            'price' => ['required', 'numeric', 'min:0'],
            'quality' => ['required', Rule::in(['new', 'almost_new', 'used', 'faulty'])],
            'country' => ['required', 'string', 'max:255'],
            'street' => ['nullable', 'string', 'max:255'],
            'zip_code' => ['required', 'integer'],
            'city' => ['required', 'string', 'max:255'],
            'category_id' => ['exists:listing_categories,id'],
            'attributes' => ['array'],
            'attributes.*' => ['nullable', 'string', 'max:255'],
        ])->validate();

        if (! Auth::check()) {
            abort(403, 'You must be logged in to create a listing.');
        }

        $validated = validator($data, [
            'title' => ['required', 'string', 'max:255'],
            'description' => ['string'],
            'price' => ['required', 'numeric', 'min:0'],
            'quality' => ['required', Rule::in(['new', 'almost_new', 'used', 'faulty'])],
            'country' => ['required', 'string', 'max:255'],
            'street' => ['nullable', 'string', 'max:255'],
            'zip_code' => ['required', 'integer'],
            'city' => ['required', 'string', 'max:255'],
            'category_id' => ['exists:listing_categories,id'],
            'attributes' => ['array'],
            'attributes.*' => ['nullable', 'string', 'max:255'],
        ])->validate();

The reason I thought I should put it in just in case, is maybe users can send direct request to the component, without using the filament fields. I would assume if I would put a public admin panel on my site, that would be safe completely. But what if I just use the form builder in a simple livewire component?

toeknee•2w ago

If you are using the Form class then that is not needed correct We use the validator within the fields if you have set them correctly

DomOP•2w ago

Great, thank you!

Gaming

Programming

How safe is filament on the frontend?

Did you find this page helpful?