I think it would be a great addition to the api to have increased control over loading targeting, I don’t disagree with you on that point at all. When I respond to issues here, I try to find how to achieve the intended result within the tool set currently available.
I will however argue and expand on my point earlier against mustaching method parameters (going outside of the original scope of this thread), and I guess argue the “natural” feeling of it. I’m also not targeting you individually, nothing personal, I’m putting it out there for anyone who reads through this so everyone can see the possible implications of this, or just have a better understanding of how it works and your options.
wire:click="method('{{ $variable }}')"
feels incredibly unnatural to me vs
wire:click="method"
Livewire does no tampering validation on anything inside of those method brackets. Open your inspector and change it to whatever you want. Almost every post on here, including this one, that makes use of it is always passing some sort of a database id. (My opinion, and many other’s, is id’s should never be exposed to the front end to begin with, that’s what slugs are for. but that’s another debate)
I also don’t care to have brackets there, even empty, because someone who knows a thing or two about programming, but not how livewire works, is automatically tipped off that it’s referencing a method/function. It’s not that big of a deal, but it’s a bigger invitation for someone to try to tamper with it just to see what happens.
Yes, you can protect yourself by adding in additional validation before a database call is made. Or you can extract it to it’s own component, store the model internally, and not even accept a parameter to be passed in to begin with.
One of the trade offs to using liveware is that the id will still be exposed to the front end even going this route. In your console, it can be found livewire.components.componentsById.{componentId}.data.{model}.id
However, Livewire does have tamper protection on it. If you change it and then try to make another request you will get:
"Livewire encountered corrupt data when trying to hydrate the [componentName] component. Ensure that the [name, id, data] of the Livewire component wasn’t tampered with between requests. "
You could even take it one step further and use the session to store your model and never pass it to the front.
TL:DR: Life is easier when you limit possible security concerns. Don’t mustache a method parameter you wouldn’t offer an input box to for the user to change.