SOLVED: Potential Security Issue - Filament isn't exposing model attributes. It was a false alarm.
EDIT: false alarm. It turns out that the Livewire tab in DebugBar isn't actually showing what Livewire is sending to the browser. So the apparent leakage of sensitive data is just the display of Livewire's internal server state by DebugBar.
I was surprised to see my full model data including sensitive attributes in DebugBar's Livewire tab, despite these attributes being listed in the model's $hidden array, as documented on Filament's security page. See attached screenshot.
Am I missing something? Is there some other function I need to call to prevent these secure properties from being serialised and sent to the browser?
Solution:Jump to solution
I had a look at the Chrome network tab and don't see anything untoward. I had a feeling I was missing something and wanted to discuss it here. Thanks.
5 Replies
Wouldn’t consider this a security issue as this is a tool for debugging.
Thanks. I'm aware of the security policy but I wanted to discuss it here first before raising it with Dan as I wasn't sure if there was something I was missing.
I'm aware that DebugBar is a debugging tool. I've not used Livewire before and I'm unclear what the Livewire tab in DebugBar is showing. At first glance it looks like it's collecting and displaying the Livewire traffic being sent to the browser.
So I would like to be sure that what it's showing is NOT what is being sent to the browser by Filament or Livewire.
you could inspect the actual response payload in the network tab to verify.
Solution
I had a look at the Chrome network tab and don't see anything untoward. I had a feeling I was missing something and wanted to discuss it here. Thanks.