feat: add Adminer database browser integration#199
Merged
Conversation
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
📝 WalkthroughWalkthroughThis PR adds a built-in Adminer database browser that allows authenticated users to browse and query MySQL, PostgreSQL, and SQLite databases directly from the application UI. Access is role-gated and disabled by default; Super Admins enable it and configure the minimum role required via application configuration settings. ChangesAdminer Integration
Estimated code review effort🎯 4 (Complex) | ⏱️ ~60 minutes Possibly related PRs
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 7
🧹 Nitpick comments (4)
resources/views/livewire/database-server/adminer-modal.blade.php (1)
1-24: Consider accessibility improvements for the modal.The modal implementation works well, but consider these accessibility enhancements:
- Add
titleattribute to the iframe for screen readers- Add
aria-labelto the close button- Consider adding keyboard escape handler to close the modal
♿ Proposed accessibility improvements
- <button class="btn btn-sm btn-ghost btn-circle" `@click`="$wire.closeModal()"> + <button class="btn btn-sm btn-ghost btn-circle" `@click`="$wire.closeModal()" aria-label="{{ __('Close') }}"> <x-icon name="o-x-mark" class="w-5 h-5" /> </button><iframe src="{{ $adminerUrl }}" class="w-full h-full border-0" allow="fullscreen" + title="{{ __('Database browser') }}" ></iframe>For keyboard escape handling, add to the outer div:
- <div class="fixed inset-0 z-50 flex items-start justify-center bg-black/60 backdrop-blur-sm" `@click.self`="$wire.closeModal()"> + <div class="fixed inset-0 z-50 flex items-start justify-center bg-black/60 backdrop-blur-sm" `@click.self`="$wire.closeModal()" `@keydown.escape.window`="$wire.closeModal()">🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@resources/views/livewire/database-server/adminer-modal.blade.php` around lines 1 - 24, The modal lacks basic accessibility attributes and keyboard support: add a meaningful title attribute to the iframe that uses the existing $adminerUrl/$serverName context, add an aria-label (or aria-labelledby) to the close button that calls $wire.closeModal(), and attach a keyboard Escape handler on the modal container (e.g., a keydown/keydown.window escape listener that invokes closeModal) so pressing Esc closes the modal when $showModal is true; update the elements referencing $showModal, the iframe, and the close button (the button that calls $wire.closeModal()) accordingly.routes/web.php (1)
73-77: Consider adding rate limiting to mitigate abuse.Since this route bypasses CSRF protection and provides database browser access, consider adding rate limiting middleware to prevent potential abuse (e.g., brute-force attempts through Adminer's login if session credentials are missing/expired).
🛡️ Proposed fix to add rate limiting
// Adminer database browser (excluded from CSRF in bootstrap/app.php) Route::any('/adminer', \App\Http\Controllers\Web\AdminerController::class) - ->middleware('auth') + ->middleware(['auth', 'throttle:60,1']) ->name('adminer');🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@routes/web.php` around lines 73 - 77, The Adminer route (Route::any('/adminer', \App\Http\Controllers\Web\AdminerController::class) with ->middleware('auth') and name 'adminer') lacks rate limiting; add a throttle middleware to that route (or a named limiter like 'adminer') and register the limiter via RateLimiter::for('adminer', ...) in your bootstrapping (or define a rule in App\Http\Kernel) so the route uses ->middleware(['auth','throttle:adminer']) or an equivalent throttle configuration to limit requests and prevent abuse.resources/css/adminer.css (1)
56-60: Replace the “I don't know why” note with the actual rendering constraint.If this rule is required, document the specific browser/Adminer bug it fixes or link the upstream issue; otherwise it will be impossible to tell later whether Lines 57-60 are still safe to remove.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@resources/css/adminer.css` around lines 56 - 60, Replace the vague comment above the thead CSS rule with a precise note describing the rendering constraint this rule addresses (e.g., specific browser/version or Adminer issue and a link or ticket ID), and if possible scope the workaround to that condition (for example mention the user-agent or a feature-detection note such as "@supports" or "only needed for Safari 14 on macOS" and the Adminer issue URL); update the comment to state whether the rule is a workaround for a browser bug, Adminer layout quirk, or a specific upstream issue and include the reference so future maintainers can verify or remove the rule, ensuring the selector in thead { top: 0px; position: static; } remains documented.app/Livewire/DatabaseServer/AdminerModal.php (1)
15-22: Add#[Locked]to shield the Adminer URL from client-side tampering.
$adminerUrlis a public scalar property assigned from a server-trusted source (route('adminer')in Lines 167-170 of Index.php) but remains client-writable. Without#[Locked], a client could modify it in DevTools to point to an unauthorized Adminer instance. Locking the property ensures the iframe target cannot be swapped after the server authorizes the endpoint.🔒 Suggested change
use Illuminate\View\View; +use Livewire\Attributes\Locked; use Livewire\Attributes\On; use Livewire\Component; @@ - public string $adminerUrl = ''; + #[Locked] + public string $adminerUrl = '';🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@app/Livewire/DatabaseServer/AdminerModal.php` around lines 15 - 22, The public scalar property $adminerUrl in AdminerModal remains client-writable, so add the Livewire #[Locked] attribute to the $adminerUrl declaration to prevent client-side tampering; update the AdminerModal class by annotating the $adminerUrl property with #[Locked] (keep the existing openModal(string $serverName, string $adminerUrl): void method and assignments intact) so the server-provided adminer URL cannot be modified from the client.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@app/Http/Controllers/Web/AdminerController.php`:
- Around line 13-30: Session-stored raw credentials are used to render Adminer
without re-checking authorization; instead, store only the DatabaseServer id in
session, then in AdminerController load the DatabaseServer model by that id
(e.g., $server = DatabaseServer::find($id)), call $this->authorize('view',
$server) (or authorize('view', $server)) to re-run the policy, rebuild the
$credentials array from the fresh $server record, and only then call
$adminer->render($credentials); also retain the existing initial-load logic that
populates $_POST['auth'] but use the freshly-authorized credentials rather than
the session blob.
In `@app/Livewire/DatabaseServer/Index.php`:
- Around line 159-165: Wrap the call to DatabaseServer::getDecryptedPassword()
in a try/catch inside the Livewire Index component before calling session()->put
so a decryption exception doesn't bubble and break the Livewire request; on
exception set the 'password' entry to the model's recovery message (e.g.
$server->getRecoveryMessage()) or another recovery accessor exposed by the
DatabaseServer model, then continue to session()->put(...) as before.
- Around line 159-165: Current code in Livewire/DatabaseServer/Index.php stores
decrypted DB passwords into session via session()->put including
getDecryptedPassword(), which persists raw secrets; change it to store only the
server identifier/context (e.g., server id, driver, host, db name) in session
and remove the decrypted password storage. Update AdminerController.php to
perform just-in-time decryption using Server::getDecryptedPassword() (or
equivalent) when handling the Adminer request and build credentials there
per-request, ensuring session contains no plaintext secrets and only a reference
to the target server/context.
In `@app/Services/AdminerService.php`:
- Around line 23-27: The AdminerService currently mutates process-global state
by calling chdir($vendorAdminer) before include and by defining ASSETS_VERSION
at runtime; update the code in the AdminerService (around the
startOutputBuffering(), defineAdminerObject(), chdir($vendorAdminer) and include
$vendorAdminer.'/adminer.php' sequence) to save the original working directory
with getcwd(), perform chdir() only for the include, and always restore the
original cwd in a finally block so the process-wide working directory is not
leaked; also remove the runtime define('ASSETS_VERSION', ...) and replace it
with a class constant (e.g., AdminerService::ASSETS_VERSION) referenced where
needed to avoid redefining a global constant across requests.
In `@bootstrap/app.php`:
- Around line 52-54: The /adminer route only has auth middleware and is exempted
from CSRF via validateCsrfTokens(except: ['adminer']), so add rate limiting to
prevent abuse: update the route registration for Adminer (the
Route::any('/adminer', AdminerController::class) entry) to include a throttle
middleware (for example 'throttle:60,1') alongside 'auth'; ensure openAdminer
(Livewire DatabaseServer Index) authorization remains intact and do not remove
the CSRF exemption, just attach the throttle middleware to the AdminerController
route.
In `@resources/css/adminer.css`:
- Line 2: The CSS `@import` referencing
'../../vendor/dg/adminer-custom/adminer.css' cannot be resolved by Vite (CI
error "Can't resolve ...") because it points outside the bundle root; fix by
either removing that import so the vendor stylesheet is served directly by
Adminer and this bundle contains only overrides, or copy the vendor file into
the build-managed path (e.g., place adminer.css into the same resources/css/
directory) and update the `@import` to the new local filename (e.g., change the
`@import` line in resources/css/adminer.css to import 'adminer.css' or
'adminer-vendor.css') so Vite can resolve it.
In `@resources/views/livewire/database-server/index.blade.php`:
- Around line 187-195: The Browse button rendering lacks an authorization check;
wrap the button block in an `@can`('browse', $server) directive (matching how
other actions use `@can`) and ensure the DatabaseServerPolicy implements a public
function browse(User $user, DatabaseServer $server) that denies Redis servers
(check $server->database_type !== \App\Enums\DatabaseType::REDIS) and verifies
the user's permission to access that server; keep the existing
wire:click="openAdminer('{{ $server->id }}')" and button attributes intact so
only authorized users see and can invoke openAdminer.
---
Nitpick comments:
In `@app/Livewire/DatabaseServer/AdminerModal.php`:
- Around line 15-22: The public scalar property $adminerUrl in AdminerModal
remains client-writable, so add the Livewire #[Locked] attribute to the
$adminerUrl declaration to prevent client-side tampering; update the
AdminerModal class by annotating the $adminerUrl property with #[Locked] (keep
the existing openModal(string $serverName, string $adminerUrl): void method and
assignments intact) so the server-provided adminer URL cannot be modified from
the client.
In `@resources/css/adminer.css`:
- Around line 56-60: Replace the vague comment above the thead CSS rule with a
precise note describing the rendering constraint this rule addresses (e.g.,
specific browser/version or Adminer issue and a link or ticket ID), and if
possible scope the workaround to that condition (for example mention the
user-agent or a feature-detection note such as "@supports" or "only needed for
Safari 14 on macOS" and the Adminer issue URL); update the comment to state
whether the rule is a workaround for a browser bug, Adminer layout quirk, or a
specific upstream issue and include the reference so future maintainers can
verify or remove the rule, ensuring the selector in thead { top: 0px; position:
static; } remains documented.
In `@resources/views/livewire/database-server/adminer-modal.blade.php`:
- Around line 1-24: The modal lacks basic accessibility attributes and keyboard
support: add a meaningful title attribute to the iframe that uses the existing
$adminerUrl/$serverName context, add an aria-label (or aria-labelledby) to the
close button that calls $wire.closeModal(), and attach a keyboard Escape handler
on the modal container (e.g., a keydown/keydown.window escape listener that
invokes closeModal) so pressing Esc closes the modal when $showModal is true;
update the elements referencing $showModal, the iframe, and the close button
(the button that calls $wire.closeModal()) accordingly.
In `@routes/web.php`:
- Around line 73-77: The Adminer route (Route::any('/adminer',
\App\Http\Controllers\Web\AdminerController::class) with ->middleware('auth')
and name 'adminer') lacks rate limiting; add a throttle middleware to that route
(or a named limiter like 'adminer') and register the limiter via
RateLimiter::for('adminer', ...) in your bootstrapping (or define a rule in
App\Http\Kernel) so the route uses ->middleware(['auth','throttle:adminer']) or
an equivalent throttle configuration to limit requests and prevent abuse.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 51d1b366-bee9-44cd-afc1-77cb1c1d21d5
⛔ Files ignored due to path filters (1)
composer.lockis excluded by!**/*.lock
📒 Files selected for processing (14)
CLAUDE.mdapp/Http/Controllers/Web/AdminerController.phpapp/Livewire/DatabaseServer/AdminerModal.phpapp/Livewire/DatabaseServer/Index.phpapp/Services/AdminerService.phpapp/Services/adminer_object.phpbootstrap/app.phpcomposer.jsonphpstan.neonresources/css/adminer.cssresources/views/livewire/database-server/adminer-modal.blade.phpresources/views/livewire/database-server/index.blade.phproutes/web.phpvite.config.js
📜 Review details
🧰 Additional context used
🧠 Learnings (10)
📚 Learning: 2026-03-28T22:33:16.333Z
Learnt from: David-Crty
Repo: David-Crty/databasement PR: 195
File: app/Notifications/CLAUDE.md:7-12
Timestamp: 2026-03-28T22:33:16.333Z
Learning: In this repository (David-Crty/databasement), do not flag fenced Markdown code blocks that omit a language identifier (i.e., MD040: missing language after ```). The project treats unlabeled fenced code blocks as plain text by default, so missing language tags are acceptable for Markdown files.
Applied to files:
CLAUDE.md
📚 Learning: 2026-02-25T10:48:17.811Z
Learnt from: David-Crty
Repo: David-Crty/databasement PR: 132
File: app/Console/Commands/RecoverAgentLeasesCommand.php:44-48
Timestamp: 2026-02-25T10:48:17.811Z
Learning: When reviewing PHP code, especially with foreign keys that use cascadeOnDelete and are non-nullable, assume child relations exist at runtime (the database will delete children when the parent is deleted). Do not rely on null-safe operators for these relations, as PHPStan already models them as non-null. This guideline applies broadly to PHP files that define models with foreign keys using cascade delete; verify there are no unnecessary null checks or optional chaining on such relations.
Applied to files:
bootstrap/app.phpresources/views/livewire/database-server/index.blade.phpresources/views/livewire/database-server/adminer-modal.blade.phproutes/web.phpapp/Services/AdminerService.phpapp/Services/adminer_object.phpapp/Livewire/DatabaseServer/Index.phpapp/Http/Controllers/Web/AdminerController.phpapp/Livewire/DatabaseServer/AdminerModal.php
📚 Learning: 2026-02-24T10:43:22.287Z
Learnt from: David-Crty
Repo: David-Crty/databasement PR: 136
File: app/Models/DatabaseServer.php:250-258
Timestamp: 2026-02-24T10:43:22.287Z
Learning: Pattern mode (database_selection_mode = 'pattern') is not available for SQLite or Redis database servers. The UI conditionally hides the segmented control for these types in resources/views/livewire/database-server/_form.blade.php (line 242: !$form->isSqlite() && !$form->isRedis()).
Applied to files:
resources/views/livewire/database-server/index.blade.php
📚 Learning: 2026-01-30T22:27:46.107Z
Learnt from: David-Crty
Repo: David-Crty/databasement PR: 61
File: resources/views/livewire/volume/connectors/s3-config.blade.php:1-13
Timestamp: 2026-01-30T22:27:46.107Z
Learning: In Blade template files (any .blade.php) within the databasement project, allow using alert-info for informational content inside <x-alert> components. The guideline that permits alert-success and alert-error does not exclude using alert-info for informational purposes. Apply this consistently to all Blade components that render alerts; ensure semantic usage and accessibility.
Applied to files:
resources/views/livewire/database-server/index.blade.phpresources/views/livewire/database-server/adminer-modal.blade.php
📚 Learning: 2026-02-06T10:34:43.585Z
Learnt from: David-Crty
Repo: David-Crty/databasement PR: 75
File: resources/views/livewire/backup-job/_filters.blade.php:36-40
Timestamp: 2026-02-06T10:34:43.585Z
Learning: In Blade template files, when creating compact inline filter controls, prefer using native <input type="checkbox"> elements with daisyUI classes (e.g., checkbox checkbox-warning checkbox-xs) over the Mary UI <x-checkbox> component. The <x-checkbox> component adds wrapper markup (e.g., <div><fieldset><label> with gap-3) that can break tight inline flex layouts. Use the native input approach for compact inline controls, but reserve <x-checkbox> for form fields that require labels, hints, and errors.
Applied to files:
resources/views/livewire/database-server/index.blade.phpresources/views/livewire/database-server/adminer-modal.blade.php
📚 Learning: 2026-02-03T09:28:33.376Z
Learnt from: David-Crty
Repo: David-Crty/databasement PR: 69
File: resources/views/livewire/configuration/index.blade.php:62-75
Timestamp: 2026-02-03T09:28:33.376Z
Learning: In **/*.blade.php files for the databasement project: The `<x-popover>` component (likely MaryUI/DaisyUI) properly displays popovers even when the trigger is a disabled `<x-button>`. Unlike standard HTML, the framework handles pointer events for disabled button triggers correctly.
Applied to files:
resources/views/livewire/database-server/adminer-modal.blade.php
📚 Learning: 2026-03-14T17:22:01.553Z
Learnt from: David-Crty
Repo: David-Crty/databasement PR: 159
File: routes/ai.php:1-9
Timestamp: 2026-03-14T17:22:01.553Z
Learning: In the `laravel/mcp` package (first-party Laravel package, `laravel/mcp: "^0.6.2"`), the `McpServiceProvider` automatically loads `routes/ai.php`. Do NOT flag the absence of `routes/ai.php` registration in `bootstrap/app.php` as an issue — it is registered automatically by the package's service provider. MCP web and local server definitions (e.g., `Mcp::web(...)`, `Mcp::local(...)`) should be placed in `routes/ai.php` without any additional manual registration.
Applied to files:
routes/web.php
📚 Learning: 2026-02-04T12:26:48.720Z
Learnt from: CR
Repo: David-Crty/databasement PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-02-04T12:26:48.720Z
Learning: Applies to routes/web.php : Use `Volt::route()` helper for single-file authentication components in routing. Use Livewire component classes directly for other routes (e.g., `Route::get('resource', ComponentClass::class)`).
Applied to files:
routes/web.php
📚 Learning: 2026-02-04T12:26:27.374Z
Learnt from: David-Crty
Repo: David-Crty/databasement PR: 72
File: routes/web.php:66-81
Timestamp: 2026-02-04T12:26:27.374Z
Learning: In Laravel Livewire v4, prefer routing full-page Livewire components using Route::livewire('/path', ComponentClass::class) for all full-page components (whether class-based or view-based). While Route::get('/path', ComponentClass::class) remains technically functional for backward compatibility, it is not recommended in v4. Apply this guideline in all route files under routes (e.g., routes/web.php, routes/api.php) to ensure consistent, future-proof routing for Livewire components.
Applied to files:
routes/web.php
📚 Learning: 2026-02-18T09:45:52.485Z
Learnt from: David-Crty
Repo: David-Crty/databasement PR: 116
File: app/Livewire/DatabaseServer/ConnectionStatus.php:18-18
Timestamp: 2026-02-18T09:45:52.485Z
Learning: In Livewire components, Eloquent model properties (e.g., public DatabaseServer $server) are automatically locked by the framework to prevent client-side ID tampering. The #[Locked] attribute is only needed for scalar properties (int, string, bool, etc.) that require protection from client-side mutation. Apply this guidance to all Livewire PHP components; use #[Locked] only on primitive properties that you want to shield from client manipulation, and rely on automatic locking for Eloquent model properties.
Applied to files:
app/Livewire/DatabaseServer/Index.phpapp/Livewire/DatabaseServer/AdminerModal.php
🪛 GitHub Actions: tests
resources/css/adminer.css
[error] 1-1: Build failed during Vite/Tailwind processing: [@tailwindcss/vite:generate:build] Can't resolve '../../vendor/dg/adminer-custom/adminer.css' referenced from '/home/runner/work/databasement/databasement/resources/css'.
🪛 PHPMD (2.15.0)
app/Services/adminer_object.php
[warning] 38-38: Avoid unused parameters such as '$login'. (undefined)
(UnusedFormalParameter)
[warning] 38-38: Avoid unused parameters such as '$password'. (undefined)
(UnusedFormalParameter)
app/Http/Controllers/Web/AdminerController.php
[warning] 11-11: Avoid unused parameters such as '$request'. (undefined)
(UnusedFormalParameter)
🔇 Additional comments (6)
CLAUDE.md (1)
418-418: LGTM!Documentation updated to reflect the current PHP runtime version.
phpstan.neon (1)
16-18: Acceptable exclusion for Adminer glue code.The
adminer_object.phpfile operates in the global namespace as required by Adminer's plugin architecture, which doesn't play well with PHPStan's analysis. This exclusion is a reasonable tradeoff for vendor integration code.vite.config.js (1)
10-10: LGTM!Adding the Adminer stylesheet to Vite's input array enables proper cache-busting via the manifest, which
AdminerServiceuses to resolve the CSS path.resources/views/livewire/database-server/index.blade.php (1)
250-252: LGTM!The Adminer modal component is correctly placed alongside the other modals in the view.
composer.json (1)
19-19: Version constraint is appropriate.The
dg/adminer-custompackage constraint^3.3correctly targets the latest version (v3.3.1). No changes needed.app/Services/adminer_object.php (1)
9-54: Global hook placement looks right.Keeping
adminer_object()in the root namespace is the correct integration point for Adminer and fixes the namespace discovery problem cleanly.
There was a problem hiding this comment.
♻️ Duplicate comments (1)
app/Livewire/DatabaseServer/Index.php (1)
167-173:⚠️ Potential issue | 🟠 MajorDo not store decrypted DB passwords in session state.
Line 171persists plaintext credentials in session, andapp/Http/Controllers/Web/AdminerController.phplater reads and forwards them directly. This still expands secret exposure scope (session compromise, longer lifetime than needed). Keep only server/context in session and decrypt just-in-time in the controller per request.[suggested direction]
🔐 Minimal direction for this component
- session()->put('adminer_credentials', [ - 'driver' => $driver, - 'server' => $serverAddress, - 'username' => $server->username ?? '', - 'password' => $password, - 'db' => $db, - ]); + session()->put('adminer_context', [ + 'server_id' => $server->getKey(), + 'db' => $db, + ]);(Then resolve/decrypt in
AdminerControllerright before building$_POST['auth'].)🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@app/Livewire/DatabaseServer/Index.php` around lines 167 - 173, Remove storing the plaintext DB password from the Livewire component: stop putting 'password' into session in the Index class (the session()->put call that stores 'adminer_credentials'); instead persist only non-secret context (driver, server id/address, username or server id if needed, db). Update AdminerController (app/Http/Controllers/Web/AdminerController.php) to retrieve the server/context from session and perform decryption of the secret just-in-time inside the controller before constructing $_POST['auth'] (use the existing decryption helper/logic used elsewhere), then forward the transient decrypted password and immediately avoid re-persisting it to session. Ensure no plaintext password is written to session anywhere.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Duplicate comments:
In `@app/Livewire/DatabaseServer/Index.php`:
- Around line 167-173: Remove storing the plaintext DB password from the
Livewire component: stop putting 'password' into session in the Index class (the
session()->put call that stores 'adminer_credentials'); instead persist only
non-secret context (driver, server id/address, username or server id if needed,
db). Update AdminerController (app/Http/Controllers/Web/AdminerController.php)
to retrieve the server/context from session and perform decryption of the secret
just-in-time inside the controller before constructing $_POST['auth'] (use the
existing decryption helper/logic used elsewhere), then forward the transient
decrypted password and immediately avoid re-persisting it to session. Ensure no
plaintext password is written to session anywhere.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 21cb2e80-189d-4320-a025-94670cc6c384
📒 Files selected for processing (2)
app/Livewire/DatabaseServer/Index.phpresources/views/livewire/database-server/index.blade.php
✅ Files skipped from review due to trivial changes (1)
- resources/views/livewire/database-server/index.blade.php
📜 Review details
🧰 Additional context used
🧠 Learnings (4)
📓 Common learnings
Learnt from: David-Crty
Repo: David-Crty/databasement PR: 199
File: app/Http/Controllers/Web/AdminerController.php:13-30
Timestamp: 2026-03-31T09:47:40.852Z
Learning: In David-Crty/databasement, `DatabaseServerPolicy::view()` returns `true` for all authenticated users unconditionally. Therefore, skipping a per-request `authorize('view', $server)` call in `AdminerController` (which is already protected by `auth` middleware) is intentional and acceptable. Do not flag the absence of a re-authorization check in `AdminerController` as a security issue unless the policy becomes more restrictive.
📚 Learning: 2026-03-31T09:47:40.852Z
Learnt from: David-Crty
Repo: David-Crty/databasement PR: 199
File: app/Http/Controllers/Web/AdminerController.php:13-30
Timestamp: 2026-03-31T09:47:40.852Z
Learning: In David-Crty/databasement, `DatabaseServerPolicy::view()` returns `true` for all authenticated users unconditionally. Therefore, skipping a per-request `authorize('view', $server)` call in `AdminerController` (which is already protected by `auth` middleware) is intentional and acceptable. Do not flag the absence of a re-authorization check in `AdminerController` as a security issue unless the policy becomes more restrictive.
Applied to files:
app/Livewire/DatabaseServer/Index.php
📚 Learning: 2026-02-18T09:45:52.485Z
Learnt from: David-Crty
Repo: David-Crty/databasement PR: 116
File: app/Livewire/DatabaseServer/ConnectionStatus.php:18-18
Timestamp: 2026-02-18T09:45:52.485Z
Learning: In Livewire components, Eloquent model properties (e.g., public DatabaseServer $server) are automatically locked by the framework to prevent client-side ID tampering. The #[Locked] attribute is only needed for scalar properties (int, string, bool, etc.) that require protection from client-side mutation. Apply this guidance to all Livewire PHP components; use #[Locked] only on primitive properties that you want to shield from client manipulation, and rely on automatic locking for Eloquent model properties.
Applied to files:
app/Livewire/DatabaseServer/Index.php
📚 Learning: 2026-02-25T10:48:17.811Z
Learnt from: David-Crty
Repo: David-Crty/databasement PR: 132
File: app/Console/Commands/RecoverAgentLeasesCommand.php:44-48
Timestamp: 2026-02-25T10:48:17.811Z
Learning: When reviewing PHP code, especially with foreign keys that use cascadeOnDelete and are non-nullable, assume child relations exist at runtime (the database will delete children when the parent is deleted). Do not rely on null-safe operators for these relations, as PHPStan already models them as non-null. This guideline applies broadly to PHP files that define models with foreign keys using cascade delete; verify there are no unnecessary null checks or optional chaining on such relations.
Applied to files:
app/Livewire/DatabaseServer/Index.php
🔇 Additional comments (1)
app/Livewire/DatabaseServer/Index.php (1)
137-141: Good guardrails in the Adminer entry flow.Redis is blocked early with a clear toast, and decryption failures are now handled without breaking the Livewire request. Nice improvement.
Also applies to: 159-165
|
IMO, this feature is potentially unwanted and should be opt-in only. |
Owner
Author
I'm planning to make it an opt-in feature, it will likely be disabled by default. To understand better why this feature might be unwanted @wblondel ? I have my own idea, but considering other viewpoints is always valuable. |
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## main #199 +/- ##
============================================
- Coverage 90.55% 90.08% -0.47%
- Complexity 2559 2605 +46
============================================
Files 214 219 +5
Lines 9074 9231 +157
============================================
+ Hits 8217 8316 +99
- Misses 857 915 +58 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
There was a problem hiding this comment.
Actionable comments posted: 2
🧹 Nitpick comments (2)
app/Services/adminer_object.php (2)
9-44: ⚡ Quick winPrefer native type declarations for function/method signatures (verify Adminer parent compatibility first).
At Line 9 / Line 32 / Line 37 / Line 43, signatures still depend on PHPDoc or are untyped. Add native parameter/return types to match project standards, but first confirm compatibility with
\Adminer\Admineroverrides.Proposed change (if vendor signatures allow it)
-function adminer_object() +function adminer_object(): \Adminer\Adminer { @@ - public function login($login, $password) + public function login(mixed $login, mixed $password): bool { return true; } - public function headers() + public function headers(): void { header('X-Frame-Options: SAMEORIGIN'); } @@ - public function css() + public function css(): array { return [$this->cssPath]; }As per coding guidelines: "Use explicit return type declarations and type hints for all method parameters:
function isAccessible(User $user, ?string $path = null): bool".🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@app/Services/adminer_object.php` around lines 9 - 44, The methods in the anonymous class returned by adminer_object lack native type hints; update signatures to use native types while verifying compatibility with \Adminer\Adminer: add ?array $creds and string $cssPath types are already present on __construct (ensure constructor visibility matches parent if needed), change public function credentials(): array to explicitly return array, change public function login($login, $password): bool to declare parameter and return types (e.g. string $login, string $password): bool or match parent signature, change public function headers(): void to return nothing, and change public function css(): array to return array<string> (or array) — adjust nullable/union types to exactly match the parent method types in \Adminer\Adminer before committing.
16-27: ⚡ Quick winUse an array-shape PHPDoc for
$credsinstead of a generic string map.
credentials()relies on fixed keys at Line 26, soarray<string, string>|nullis too loose and weakens static checks.Proposed change
- /** `@param` array<string, string>|null $creds */ + /** `@param` array{server:string,username:string,password:string}|null $creds */ public function __construct( private ?array $creds, private string $cssPath, ) {}As per coding guidelines: "Use array shape type definitions in PHPDoc blocks".
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@app/Services/adminer_object.php` around lines 16 - 27, Update the PHPDoc for the constructor parameter $creds to an array-shape specifying the exact keys used (e.g. array{server:string,username:string,password:string}|null) so static analyzers know the expected keys, and ensure any property or class-level docblocks referencing $creds reflect the same shape; the change should be made near the __construct declaration and will align with the existing credentials(): array{string,string,string} method which accesses $this->creds['server'], ['username'], and ['password'].
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@app/Http/Controllers/Web/AdminerController.php`:
- Around line 60-63: Replace the current single-backup lookup that uses
$server->backups->first()?->database_names with a resolved, de-duplicated list
of database names collected from all backups (e.g.
collect($server->backups->pluck('database_names'))->flatten()->unique()->values()->all())
and then only auto-select into $db when that resulting $databaseNames array has
exactly one entry; update the code around the $databaseNames, $server->backups
and $db variables to use the flattened/unique list instead of the first backup's
database_names.
In `@tests/Feature/Livewire/DatabaseServer/IndexTest.php`:
- Around line 54-62: The test relies on the default app.adminer_enabled value;
make the precondition explicit by setting the config key to false at the start
of the test so it remains deterministic—add a configuration set for
"app.adminer_enabled" => false before creating the User/DatabaseServer or
invoking Livewire::actingAs in the "openAdminer is forbidden when adminer is
disabled" test (refer to the test function name and the Livewire::actingAs
->test(Index::class) ->call('openAdminer', ...) flow to locate where to insert
it).
---
Nitpick comments:
In `@app/Services/adminer_object.php`:
- Around line 9-44: The methods in the anonymous class returned by
adminer_object lack native type hints; update signatures to use native types
while verifying compatibility with \Adminer\Adminer: add ?array $creds and
string $cssPath types are already present on __construct (ensure constructor
visibility matches parent if needed), change public function credentials():
array to explicitly return array, change public function login($login,
$password): bool to declare parameter and return types (e.g. string $login,
string $password): bool or match parent signature, change public function
headers(): void to return nothing, and change public function css(): array to
return array<string> (or array) — adjust nullable/union types to exactly match
the parent method types in \Adminer\Adminer before committing.
- Around line 16-27: Update the PHPDoc for the constructor parameter $creds to
an array-shape specifying the exact keys used (e.g.
array{server:string,username:string,password:string}|null) so static analyzers
know the expected keys, and ensure any property or class-level docblocks
referencing $creds reflect the same shape; the change should be made near the
__construct declaration and will align with the existing credentials():
array{string,string,string} method which accesses $this->creds['server'],
['username'], and ['password'].
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 73b0432d-473a-41b3-bf35-e1ee957cedcf
📒 Files selected for processing (15)
app/Http/Controllers/Web/AdminerController.phpapp/Livewire/Configuration/Index.phpapp/Livewire/DatabaseServer/Index.phpapp/Livewire/Forms/ConfigurationForm.phpapp/Models/DatabaseServer.phpapp/Models/User.phpapp/Policies/DatabaseServerPolicy.phpapp/Services/AppConfigService.phpapp/Services/adminer_object.phpresources/views/livewire/configuration/index.blade.phpresources/views/livewire/database-server/adminer-modal.blade.phpresources/views/livewire/database-server/index.blade.phptests/Feature/ConfigurationTest.phptests/Feature/Http/AdminerControllerTest.phptests/Feature/Livewire/DatabaseServer/IndexTest.php
✅ Files skipped from review due to trivial changes (2)
- resources/views/livewire/database-server/adminer-modal.blade.php
- app/Services/AppConfigService.php
🚧 Files skipped from review as they are similar to previous changes (1)
- resources/views/livewire/database-server/index.blade.php
📜 Review details
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
- GitHub Check: ci
🧰 Additional context used
📓 Path-based instructions (8)
**/*.php
📄 CodeRabbit inference engine (CLAUDE.md)
Use curly braces for all control structures in PHP, even for single-line bodies
Use PHP 8 constructor property promotion:
public function __construct(public GitHub $github) { }. Do not leave empty zero-parameter__construct()methods unless the constructor is private.Use explicit return type declarations and type hints for all method parameters:
function isAccessible(User $user, ?string $path = null): boolPrefer PHPDoc blocks over inline comments. Only add inline comments for exceptionally complex logic.
Use array shape type definitions in PHPDoc blocks
All changes to PHP files must be formatted with Laravel Pint. Run
vendor/bin/pint --dirty --format agentbefore finalizing changes.Use descriptive names for variables and methods. For example,
isRegisteredForDiscounts, notdiscount()
Files:
app/Policies/DatabaseServerPolicy.phpapp/Models/DatabaseServer.phpapp/Models/User.phptests/Feature/Http/AdminerControllerTest.phptests/Feature/ConfigurationTest.phpapp/Http/Controllers/Web/AdminerController.phpapp/Livewire/DatabaseServer/Index.phpapp/Livewire/Forms/ConfigurationForm.phptests/Feature/Livewire/DatabaseServer/IndexTest.phpapp/Livewire/Configuration/Index.phpresources/views/livewire/configuration/index.blade.phpapp/Services/adminer_object.php
**/*.{php,blade.php}
📄 CodeRabbit inference engine (CLAUDE.md)
Use translations with
__('...')helper function. Keep technical terms like Backup, Restore, Snapshot(s) in English across all locales.
Files:
app/Policies/DatabaseServerPolicy.phpapp/Models/DatabaseServer.phpapp/Models/User.phptests/Feature/Http/AdminerControllerTest.phptests/Feature/ConfigurationTest.phpapp/Http/Controllers/Web/AdminerController.phpapp/Livewire/DatabaseServer/Index.phpapp/Livewire/Forms/ConfigurationForm.phptests/Feature/Livewire/DatabaseServer/IndexTest.phpapp/Livewire/Configuration/Index.phpresources/views/livewire/configuration/index.blade.phpapp/Services/adminer_object.php
app/Models/**/*.php
📄 CodeRabbit inference engine (CLAUDE.md)
Database models should use ULIDs for primary keys instead of auto-incrementing integers
When creating models, create useful factories and seeders for them as well
Files:
app/Models/DatabaseServer.phpapp/Models/User.php
tests/**/*.php
📄 CodeRabbit inference engine (CLAUDE.md)
When creating tests, use factories for creating models instead of manually setting up model properties
Use
$this->faker->word()orfake()->randomDigit()for generating test data. Follow existing conventions in the codebase for whether to use$this->fakerorfake()Create feature tests by default using
php artisan make:test [options] {name}. Pass--unitonly for unit tests.Use
php artisan make:test --pest {name}to create tests with Pest. The {name} argument should not include the test suite directory.
Files:
tests/Feature/Http/AdminerControllerTest.phptests/Feature/ConfigurationTest.phptests/Feature/Livewire/DatabaseServer/IndexTest.php
app/Livewire/**/*.php
📄 CodeRabbit inference engine (CLAUDE.md)
Use
#[Validate]attributes or Form objects for validation in Livewire components. Call$this->validate()before processing data.Use
Session::flash()for one-time messages in Livewire components and access them in Blade files with@if (session('success'))Return
$this->redirect()withnavigate: truein Livewire components for SPA-like navigation between pagesPublic properties in Livewire components are automatically bound to views. Use them for component state and form data.
Modal pattern in Mary UI: Add boolean property to Livewire component class, use
wire:modelin Blade file to bind modal visibilityLivewire components should use class-based components with reactive state. Use Alpine.js for client-side interactions instead of JavaScript frameworks.
Keep state server-side in Livewire components so the UI reflects it. Validate and authorize in actions as you would in HTTP requests.
Files:
app/Livewire/DatabaseServer/Index.phpapp/Livewire/Forms/ConfigurationForm.phpapp/Livewire/Configuration/Index.php
resources/views/livewire/**/*.blade.php
📄 CodeRabbit inference engine (CLAUDE.md)
In Livewire Blade files, contain only view markup. Keep all PHP logic in component classes.
Files:
resources/views/livewire/configuration/index.blade.php
resources/views/**/*.blade.php
📄 CodeRabbit inference engine (CLAUDE.md)
All UI components use Mary UI (built on daisyUI). Use component prefixes (e.g.,
<x-button>,<x-input>,<x-card>) without custom prefixes.Use Heroicons for icons in Mary UI components with format
icon="o-user"for outline icons andicon="s-user"for solid iconsSelect component pattern in Mary UI: Use
:optionsprop with array format[['id' => 'value', 'name' => 'Label']]Alert pattern in Mary UI: Use
class="alert-success",class="alert-error", etc. instead ofvariantpropDark mode in Mary UI follows system preference using
prefers-color-schemeIn Blade component attributes with translated strings, use
:attrbinding (dynamic syntax) like<x-header :title="__('Text')" />instead of{{ }}interpolation to avoid double-encoding special characters
Files:
resources/views/livewire/configuration/index.blade.php
**/*.blade.php
📄 CodeRabbit inference engine (CLAUDE.md)
Use named routes with the
route()function when generating links to other pages instead of hardcoding URLs
Files:
resources/views/livewire/configuration/index.blade.php
🧠 Learnings (41)
📓 Common learnings
Learnt from: David-Crty
Repo: David-Crty/databasement PR: 199
File: app/Services/AdminerService.php:24-28
Timestamp: 2026-04-30T15:26:00.524Z
Learning: In David-Crty/databasement, the Adminer integration (app/Services/AdminerService.php) uses `chdir()` and runtime `define()` before `include adminer.php`. These are intentionally not guarded with save/restore or class constants because adminer.php calls `exit()` internally, so the PHP worker resets after every Adminer request anyway. Laravel Octane has been removed from the project entirely (as of PR `#199` follow-up). Do not flag these as process-global state leaks.
Learnt from: David-Crty
Repo: David-Crty/databasement PR: 199
File: app/Http/Controllers/Web/AdminerController.php:13-30
Timestamp: 2026-03-31T09:47:44.827Z
Learning: In David-Crty/databasement, `DatabaseServerPolicy::view()` returns `true` for all authenticated users unconditionally. Therefore, skipping a per-request `authorize('view', $server)` call in `AdminerController` (which is already protected by `auth` middleware) is intentional and acceptable. Do not flag the absence of a re-authorization check in `AdminerController` as a security issue unless the policy becomes more restrictive.
Learnt from: CR
Repo: David-Crty/databasement
Timestamp: 2026-04-30T17:45:09.999Z
Learning: All PHP commands MUST be run through Docker using Makefile targets or `docker compose exec --user application -T app <command>`. Never run `php`, `composer`, or `vendor/bin/*` commands directly on the host.
Learnt from: CR
Repo: David-Crty/databasement
Timestamp: 2026-04-30T17:45:09.999Z
Learning: Always use `make test` command for running tests. NEVER use `docker compose exec ... php artisan test` directly - it runs tests sequentially and is much slower. Tests run in parallel by default using Pest's parallel testing feature.
Learnt from: CR
Repo: David-Crty/databasement
Timestamp: 2026-04-30T17:45:09.999Z
Learning: Use `make test-filter FILTER=<TestClass>` to run specific tests by class or method name
Learnt from: CR
Repo: David-Crty/databasement
Timestamp: 2026-04-30T17:45:09.999Z
Learning: Run tests with `php artisan test --compact` or filter with `php artisan test --compact --filter=testName`
Learnt from: CR
Repo: David-Crty/databasement
Timestamp: 2026-04-30T17:45:09.999Z
Learning: Use `php artisan make:` commands to create new files (migrations, controllers, models, etc.) rather than manually creating them
Learnt from: CR
Repo: David-Crty/databasement
Timestamp: 2026-04-30T17:45:09.999Z
Learning: When creating a generic PHP class, use `php artisan make:class` command
Learnt from: CR
Repo: David-Crty/databasement
Timestamp: 2026-04-30T17:45:09.999Z
Learning: Pass `--no-interaction` to all Artisan commands to ensure they work without user input and include correct `--options` for desired behavior
Learnt from: CR
Repo: David-Crty/databasement
Timestamp: 2026-04-30T17:45:09.999Z
Learning: Check for existing components to reuse before writing a new one
Learnt from: CR
Repo: David-Crty/databasement
Timestamp: 2026-04-30T17:45:09.999Z
Learning: Follow all existing code conventions used in this application. When creating or editing a file, check sibling files for the correct structure, approach, and naming.
Learnt from: CR
Repo: David-Crty/databasement
Timestamp: 2026-04-30T17:45:09.999Z
Learning: Do not create verification scripts or tinker when tests cover that functionality and prove they work. Unit and feature tests are more important.
Learnt from: CR
Repo: David-Crty/databasement
Timestamp: 2026-04-30T17:45:09.999Z
Learning: Stick to existing directory structure; do not create new base folders without approval
Learnt from: CR
Repo: David-Crty/databasement
Timestamp: 2026-04-30T17:45:09.999Z
Learning: Do not change the application's dependencies without approval
Learnt from: CR
Repo: David-Crty/databasement
Timestamp: 2026-04-30T17:45:09.999Z
Learning: If users don't see frontend changes reflected in the UI, they may need to run `npm run build`, `npm run dev`, or `composer run dev`
Learnt from: CR
Repo: David-Crty/databasement
Timestamp: 2026-04-30T17:45:09.999Z
Learning: Only create documentation files if explicitly requested by the user
📚 Learning: 2026-03-31T09:47:44.827Z
Learnt from: David-Crty
Repo: David-Crty/databasement PR: 199
File: app/Http/Controllers/Web/AdminerController.php:13-30
Timestamp: 2026-03-31T09:47:44.827Z
Learning: In David-Crty/databasement, `DatabaseServerPolicy::view()` returns `true` for all authenticated users unconditionally. Therefore, skipping a per-request `authorize('view', $server)` call in `AdminerController` (which is already protected by `auth` middleware) is intentional and acceptable. Do not flag the absence of a re-authorization check in `AdminerController` as a security issue unless the policy becomes more restrictive.
Applied to files:
app/Policies/DatabaseServerPolicy.phpapp/Models/DatabaseServer.phpapp/Http/Controllers/Web/AdminerController.phpapp/Livewire/DatabaseServer/Index.phptests/Feature/Livewire/DatabaseServer/IndexTest.php
📚 Learning: 2026-04-14T09:35:21.994Z
Learnt from: David-Crty
Repo: David-Crty/databasement PR: 212
File: resources/views/livewire/database-server/index.blade.php:185-193
Timestamp: 2026-04-14T09:35:21.994Z
Learning: In `app/Policies/DatabaseServerPolicy.php` (David-Crty/databasement), the `backup()` policy method guards on both `$databaseServer->backups_enabled` and `$databaseServer->backups->isNotEmpty()` before checking user role (`isDemo()` / `canPerformActions()`). The "Backup now" button in the index view relies entirely on this policy check (`can('backup', $server)`) — do not add redundant view-level guards for this condition.
Applied to files:
app/Policies/DatabaseServerPolicy.phptests/Feature/Http/AdminerControllerTest.phpapp/Http/Controllers/Web/AdminerController.phpapp/Livewire/DatabaseServer/Index.phptests/Feature/Livewire/DatabaseServer/IndexTest.php
📚 Learning: 2026-04-30T15:26:00.524Z
Learnt from: David-Crty
Repo: David-Crty/databasement PR: 199
File: app/Services/AdminerService.php:24-28
Timestamp: 2026-04-30T15:26:00.524Z
Learning: In David-Crty/databasement, the Adminer integration (app/Services/AdminerService.php) uses `chdir()` and runtime `define()` before `include adminer.php`. These are intentionally not guarded with save/restore or class constants because adminer.php calls `exit()` internally, so the PHP worker resets after every Adminer request anyway. Laravel Octane has been removed from the project entirely (as of PR `#199` follow-up). Do not flag these as process-global state leaks.
Applied to files:
app/Policies/DatabaseServerPolicy.phptests/Feature/Http/AdminerControllerTest.phpapp/Http/Controllers/Web/AdminerController.phpapp/Livewire/DatabaseServer/Index.phpapp/Services/adminer_object.php
📚 Learning: 2026-03-23T11:45:17.545Z
Learnt from: David-Crty
Repo: David-Crty/databasement PR: 178
File: app/Http/Controllers/Api/V1/VolumeController.php:116-120
Timestamp: 2026-03-23T11:45:17.545Z
Learning: In David-Crty/databasement, `testConnection` API endpoints (e.g., `VolumeController::testConnection`, `DatabaseServerController::testConnection`) intentionally use `$this->authorize('view', $model)` rather than a stricter ability. This is a deliberate design decision by the maintainer — do not flag this as an issue in future reviews.
Applied to files:
app/Policies/DatabaseServerPolicy.phptests/Feature/Http/AdminerControllerTest.phpapp/Http/Controllers/Web/AdminerController.phptests/Feature/Livewire/DatabaseServer/IndexTest.php
📚 Learning: 2026-04-29T16:55:13.054Z
Learnt from: CR
Repo: David-Crty/databasement PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-04-29T16:55:13.054Z
Learning: Applies to app/Services/**/*.php : Use the `DatabaseProvider::testConnectionForServer()` method to orchestrate connection tests, delegating to appropriate `DatabaseInterface` handlers.
Applied to files:
app/Policies/DatabaseServerPolicy.phptests/Feature/Http/AdminerControllerTest.phptests/Feature/Livewire/DatabaseServer/IndexTest.php
📚 Learning: 2026-02-25T10:48:17.811Z
Learnt from: David-Crty
Repo: David-Crty/databasement PR: 132
File: app/Console/Commands/RecoverAgentLeasesCommand.php:44-48
Timestamp: 2026-02-25T10:48:17.811Z
Learning: When reviewing PHP code, especially with foreign keys that use cascadeOnDelete and are non-nullable, assume child relations exist at runtime (the database will delete children when the parent is deleted). Do not rely on null-safe operators for these relations, as PHPStan already models them as non-null. This guideline applies broadly to PHP files that define models with foreign keys using cascade delete; verify there are no unnecessary null checks or optional chaining on such relations.
Applied to files:
app/Policies/DatabaseServerPolicy.phpapp/Models/DatabaseServer.phpapp/Models/User.phptests/Feature/Http/AdminerControllerTest.phptests/Feature/ConfigurationTest.phpapp/Http/Controllers/Web/AdminerController.phpapp/Livewire/DatabaseServer/Index.phpapp/Livewire/Forms/ConfigurationForm.phptests/Feature/Livewire/DatabaseServer/IndexTest.phpapp/Livewire/Configuration/Index.phpresources/views/livewire/configuration/index.blade.phpapp/Services/adminer_object.php
📚 Learning: 2026-04-29T17:55:27.012Z
Learnt from: CR
Repo: David-Crty/databasement PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-04-29T17:55:27.012Z
Learning: Applies to app/Services/Backup/Databases/**Database.php : Types without PDO support (e.g., Redis) must throw in `buildDsn()`/`createPdo()` and handle connection testing via CLI in their `testConnection()` method.
Applied to files:
app/Models/DatabaseServer.phptests/Feature/Http/AdminerControllerTest.phptests/Feature/Livewire/DatabaseServer/IndexTest.php
📚 Learning: 2026-04-29T18:37:48.743Z
Learnt from: CR
Repo: David-Crty/databasement PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-04-29T18:37:48.743Z
Learning: Applies to tests/**/*.php : Create Pest tests using `php artisan make:test --pest {name}` without including the test suite directory. Use `php artisan make:test --pest SomeFeatureTest` instead of `php artisan make:test --pest Feature/SomeFeatureTest`.
Applied to files:
tests/Feature/Http/AdminerControllerTest.php
📚 Learning: 2026-04-29T17:55:27.012Z
Learnt from: CR
Repo: David-Crty/databasement PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-04-29T17:55:27.012Z
Learning: Create feature tests using `php artisan make:test [options] {name}` and pass `--unit` to create unit tests. Most tests should be feature tests.
Applied to files:
tests/Feature/Http/AdminerControllerTest.phptests/Feature/ConfigurationTest.php
📚 Learning: 2026-02-17T08:43:03.630Z
Learnt from: David-Crty
Repo: David-Crty/databasement PR: 114
File: tests/Integration/SshTunnelTest.php:37-46
Timestamp: 2026-02-17T08:43:03.630Z
Learning: In the databasement project, integration tests use RefreshDatabase (configured in tests/Pest.php), which automatically rolls back all database changes after each test. Therefore, explicit model deletion calls like $server->delete(), $volume->delete(), or $sshConfig->delete() are unnecessary in integration tests.
Applied to files:
tests/Feature/Http/AdminerControllerTest.php
📚 Learning: 2026-02-13T11:05:37.072Z
Learnt from: David-Crty
Repo: David-Crty/databasement PR: 105
File: tests/Feature/Services/Backup/Databases/SqliteDatabaseTest.php:8-11
Timestamp: 2026-02-13T11:05:37.072Z
Learning: Adopt a global afterEach hook in tests/Pest.php (or equivalent Pest bootstrap) to clean up temporary directories created during tests. Specifically handle temp dirs named with the prefixes sqlite-db-test-*, backup-task-test-*, restore-task-test-*, and volume-test-*, so individual test files don’t need their own cleanup logic. This applies to all PHP test files under the tests directory.
Applied to files:
tests/Feature/Http/AdminerControllerTest.phptests/Feature/ConfigurationTest.phptests/Feature/Livewire/DatabaseServer/IndexTest.php
📚 Learning: 2026-04-09T13:59:25.873Z
Learnt from: David-Crty
Repo: David-Crty/databasement PR: 205
File: tests/Feature/ConfigurationTest.php:165-176
Timestamp: 2026-04-09T13:59:25.873Z
Learning: In this repository, `Notification::fake()` is already performed globally in the base test class (`tests/TestCase.php`) within `setUp()` before each test. When reviewing individual test files under `tests/`, do not flag missing `Notification::fake()` calls, since they are handled by the shared base test setup.
Applied to files:
tests/Feature/Http/AdminerControllerTest.phptests/Feature/ConfigurationTest.phptests/Feature/Livewire/DatabaseServer/IndexTest.php
📚 Learning: 2026-03-02T13:13:34.079Z
Learnt from: David-Crty
Repo: David-Crty/databasement PR: 132
File: tests/Unit/Services/Backup/DTO/BackupConfigTest.php:34-45
Timestamp: 2026-03-02T13:13:34.079Z
Learning: In tests/Unit/Services/Backup/DTO/BackupConfigTest.php and similar DTO symmetry tests, prioritize asserting execution-critical fields (database connection, compression, paths) over display-only metadata (volume.name, volume.config, database.serverName) that don't affect backup execution.
Applied to files:
tests/Feature/ConfigurationTest.php
📚 Learning: 2026-04-29T17:55:27.012Z
Learnt from: CR
Repo: David-Crty/databasement PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-04-29T17:55:27.012Z
Learning: Do not test framework internals or trust that Laravel/Livewire works correctly. Focus on testing business logic and behaviors. Keep tests minimal and focused - one test per behavior when possible.
Applied to files:
tests/Feature/ConfigurationTest.php
📚 Learning: 2026-04-29T18:37:48.743Z
Learnt from: CR
Repo: David-Crty/databasement PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-04-29T18:37:48.743Z
Learning: Do NOT test Laravel validation rules (e.g., `required`, `max:255`), Eloquent relationships (`hasMany`/`belongsTo`), Eloquent cascades (`onDelete('cascade')`), session flash messages, redirect responses once per flow, or multiple variations of the same thing. Focus on testing authorization, business logic, integration points, and edge cases in your own code.
Applied to files:
tests/Feature/ConfigurationTest.php
📚 Learning: 2026-04-29T18:37:48.743Z
Learnt from: CR
Repo: David-Crty/databasement PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-04-29T18:37:48.743Z
Learning: Applies to app/Livewire/**/*.php : Keep state server-side in Livewire components so the UI reflects it. Validate and authorize in actions as you would in HTTP requests.
Applied to files:
tests/Feature/ConfigurationTest.phpapp/Http/Controllers/Web/AdminerController.phpapp/Livewire/DatabaseServer/Index.phpapp/Livewire/Configuration/Index.php
📚 Learning: 2026-04-29T17:55:27.012Z
Learnt from: CR
Repo: David-Crty/databasement PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-04-29T17:55:27.012Z
Learning: Do not test form validation rules, Eloquent relationships, Eloquent cascades, session flash messages, redirect responses, or multiple variations of the same thing. These are framework internals.
Applied to files:
tests/Feature/ConfigurationTest.php
📚 Learning: 2026-04-14T08:07:19.142Z
Learnt from: David-Crty
Repo: David-Crty/databasement PR: 212
File: resources/views/livewire/database-server/_form.blade.php:318-330
Timestamp: 2026-04-14T08:07:19.142Z
Learning: In `resources/views/livewire/database-server/_backup-form.blade.php` (David-Crty/databasement), the `wire:key` for backup cards is intentionally `backup-card-{{ $cardKey }}` where `$cardKey = $backup['id'] ?? 'new-'.$index`. The `new-{index}` fallback for unsaved new cards is a deliberate design choice — no stable ID exists before persistence. Once saved, the persisted `id` takes over. Do not flag `new-{index}` as an unstable key; the pattern is correct for this use case.
Applied to files:
app/Http/Controllers/Web/AdminerController.phpapp/Livewire/DatabaseServer/Index.phpresources/views/livewire/configuration/index.blade.php
📚 Learning: 2026-03-26T12:36:10.970Z
Learnt from: David-Crty
Repo: David-Crty/databasement PR: 188
File: app/Livewire/BackupJob/Index.php:221-231
Timestamp: 2026-03-26T12:36:10.970Z
Learning: In David-Crty/databasement, the `deletePendingJob()` method in `app/Livewire/BackupJob/Index.php` intentionally does NOT use `DB::transaction()` or `lockForUpdate()` for the status check + delete sequence. The reasoning: the race window in a synchronous Livewire request is microseconds, the failure mode (worker updating a deleted row) is benign, and the added complexity is not justified. This is consistent with the project's overall philosophy of avoiding strict transactional guards for job state changes.
Applied to files:
app/Http/Controllers/Web/AdminerController.php
📚 Learning: 2026-04-10T08:46:58.979Z
Learnt from: David-Crty
Repo: David-Crty/databasement PR: 205
File: database/migrations/2026_04_09_000001_add_notification_channels.php:143-156
Timestamp: 2026-04-10T08:46:58.979Z
Learning: In David-Crty/databasement, Laravel migrations are forward-only in production; rollback is considered a dev-only action. Therefore, it is acceptable to delete legacy data (e.g., `app_configs` rows) within the same migration's `up()` without restoring them in `down()`, even if `down()` cannot fully reverse the state. Do not flag missing rollback restoration of migrated/deleted data as a production risk in this repo.
Applied to files:
app/Http/Controllers/Web/AdminerController.php
📚 Learning: 2026-04-29T17:55:27.012Z
Learnt from: CR
Repo: David-Crty/databasement PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-04-29T17:55:27.012Z
Learning: Applies to routes/**/*.php : Use `Route::livewire()` for full-page Livewire components (e.g., `Route::livewire('database-servers', \App\Livewire\DatabaseServer\Index::class)`).
Applied to files:
app/Livewire/DatabaseServer/Index.php
📚 Learning: 2026-04-10T07:20:11.487Z
Learnt from: David-Crty
Repo: David-Crty/databasement PR: 205
File: database/migrations/2026_04_09_000001_add_notification_channels.php:17-65
Timestamp: 2026-04-10T07:20:11.487Z
Learning: In David-Crty/databasement, `AppConfig::prepareValue()` encrypts sensitive notification config values (tokens, webhook URLs, secrets, etc.) before storing them in the `app_configs` table. When the migration `database/migrations/2026_04_09_000001_add_notification_channels.php` reads these values via raw `DB::table()->pluck('value', 'id')`, they are already encrypted at rest. The migration copies them as-is into `notification_channels.config`, where `NotificationChannel::getDecryptedConfig()` decrypts them correctly. Do NOT flag this as missing encryption — re-encrypting migrated values from `app_configs` would cause double-encryption and break decryption.
Applied to files:
app/Livewire/DatabaseServer/Index.php
📚 Learning: 2026-04-29T17:55:27.012Z
Learnt from: CR
Repo: David-Crty/databasement PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-04-29T17:55:27.012Z
Learning: Use Laravel's built-in authentication and authorization features (gates, policies, Sanctum, etc.).
Applied to files:
app/Livewire/DatabaseServer/Index.php
📚 Learning: 2026-04-29T18:37:48.743Z
Learnt from: CR
Repo: David-Crty/databasement PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-04-29T18:37:48.743Z
Learning: Applies to app/Livewire/**/*.php : In Livewire components, use `Session::flash()` for one-time messages and show them via `if (session('success'))` in Blade templates.
Applied to files:
app/Livewire/DatabaseServer/Index.php
📚 Learning: 2026-04-29T17:55:27.012Z
Learnt from: CR
Repo: David-Crty/databasement PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-04-29T17:55:27.012Z
Learning: Applies to app/Livewire/**/*.php : Use class-based Livewire components for all interactive pages.
Applied to files:
app/Livewire/DatabaseServer/Index.phpapp/Livewire/Configuration/Index.phpresources/views/livewire/configuration/index.blade.php
📚 Learning: 2026-04-29T16:55:13.054Z
Learnt from: CR
Repo: David-Crty/databasement PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-04-29T16:55:13.054Z
Learning: Applies to routes/**/*.php : All full-page Livewire components use `Route::livewire()` routing.
Applied to files:
app/Livewire/DatabaseServer/Index.php
📚 Learning: 2026-04-29T16:55:13.054Z
Learnt from: CR
Repo: David-Crty/databasement PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-04-29T16:55:13.054Z
Learning: Applies to app/Livewire/**/*.php : Use `Session::flash()` for one-time messages in Livewire components, shown via `if (session('success'))` in Blade views.
Applied to files:
app/Livewire/DatabaseServer/Index.php
📚 Learning: 2026-02-04T12:26:48.720Z
Learnt from: CR
Repo: David-Crty/databasement PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-02-04T12:26:48.720Z
Learning: Applies to routes/web.php : Use `Volt::route()` helper for single-file authentication components in routing. Use Livewire component classes directly for other routes (e.g., `Route::get('resource', ComponentClass::class)`).
Applied to files:
app/Livewire/DatabaseServer/Index.php
📚 Learning: 2026-04-29T18:37:48.743Z
Learnt from: CR
Repo: David-Crty/databasement PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-04-29T18:37:48.743Z
Learning: Applies to app/Livewire/**/*.php : In Livewire components, use `#[Validate]` attributes or Form objects for validation. Call `$this->validate()` before processing data.
Applied to files:
app/Livewire/DatabaseServer/Index.phpapp/Livewire/Forms/ConfigurationForm.php
📚 Learning: 2026-04-29T18:37:48.743Z
Learnt from: CR
Repo: David-Crty/databasement PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-04-29T18:37:48.743Z
Learning: Applies to resources/views/**/*.blade.php : Use Alpine.js for client-side interactions in Livewire instead of JavaScript frameworks.
Applied to files:
app/Livewire/DatabaseServer/Index.phpresources/views/livewire/configuration/index.blade.php
📚 Learning: 2026-02-18T09:45:52.485Z
Learnt from: David-Crty
Repo: David-Crty/databasement PR: 116
File: app/Livewire/DatabaseServer/ConnectionStatus.php:18-18
Timestamp: 2026-02-18T09:45:52.485Z
Learning: In Livewire components, Eloquent model properties (e.g., public DatabaseServer $server) are automatically locked by the framework to prevent client-side ID tampering. The #[Locked] attribute is only needed for scalar properties (int, string, bool, etc.) that require protection from client-side mutation. Apply this guidance to all Livewire PHP components; use #[Locked] only on primitive properties that you want to shield from client manipulation, and rely on automatic locking for Eloquent model properties.
Applied to files:
app/Livewire/DatabaseServer/Index.phpapp/Livewire/Forms/ConfigurationForm.phptests/Feature/Livewire/DatabaseServer/IndexTest.phpapp/Livewire/Configuration/Index.php
📚 Learning: 2026-04-29T18:37:48.743Z
Learnt from: CR
Repo: David-Crty/databasement PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-04-29T18:37:48.743Z
Learning: Applies to app/Livewire/**/*.php : In Mary UI modals, add a boolean property to the component class and use `wire:model` in the Blade template.
Applied to files:
app/Livewire/Forms/ConfigurationForm.phpapp/Livewire/Configuration/Index.phpresources/views/livewire/configuration/index.blade.php
📚 Learning: 2026-04-29T17:55:27.012Z
Learnt from: CR
Repo: David-Crty/databasement PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-04-29T17:55:27.012Z
Learning: Applies to app/Livewire/**/*.php : Use `#[Validate]` attributes or Form objects for validation in Livewire components. Call `$this->validate()` before processing data.
Applied to files:
app/Livewire/Forms/ConfigurationForm.php
📚 Learning: 2026-04-29T17:55:27.012Z
Learnt from: CR
Repo: David-Crty/databasement PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-04-29T17:55:27.012Z
Learning: Applies to app/**/*.php : Dispatch backup and restore operations to the queue using `ProcessBackupJob` and `ProcessRestoreJob` with appropriate retries and timeouts.
Applied to files:
tests/Feature/Livewire/DatabaseServer/IndexTest.php
📚 Learning: 2026-04-29T16:55:13.054Z
Learnt from: CR
Repo: David-Crty/databasement PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-04-29T16:55:13.054Z
Learning: Applies to app/Services/Backup/BackupJobFactory.php : Types that backup the whole instance (e.g., Redis, SQLite) should short-circuit in `BackupJobFactory.createSnapshots()` to create a single snapshot.
Applied to files:
tests/Feature/Livewire/DatabaseServer/IndexTest.php
📚 Learning: 2026-02-25T10:48:46.954Z
Learnt from: David-Crty
Repo: David-Crty/databasement PR: 132
File: app/Services/Agent/AgentJobPayloadBuilder.php:63-76
Timestamp: 2026-02-25T10:48:46.954Z
Learning: In app/Services/Agent/AgentJobPayloadBuilder.php and similar service classes, prefer fail-fast error handling over defensive null-safe operators when upstream callers (e.g., TriggerBackupAction, RunScheduledBackups) guarantee certain relationships exist. For example, in resolveBackupPath(), $server->backup is intentionally accessed without the null-safe operator because backup existence is enforced at call sites; using the null-safe operator would hide bugs that violate this invariant.
Applied to files:
tests/Feature/Livewire/DatabaseServer/IndexTest.php
📚 Learning: 2026-04-09T13:57:29.664Z
Learnt from: David-Crty
Repo: David-Crty/databasement PR: 205
File: app/Services/NotificationService.php:130-137
Timestamp: 2026-04-09T13:57:29.664Z
Learning: In David-Crty/databasement, the new NotificationService (app/Services/NotificationService.php) deliberately refreshes vendor service configs (services.discord.token, services.telegram-bot-api.token, services.pushover.token) per-send via refreshVendorServiceConfig() immediately before each Notification::send() call, rather than at boot time in AppServiceProvider. This is intentional because the new architecture supports multiple NotificationChannel records of the same vendor type (e.g., two Discord channels with different tokens), making boot-time registration impossible. Do not flag the absence of boot-time registration for these vendor channels as an Octane compatibility issue.
Applied to files:
app/Livewire/Configuration/Index.php
📚 Learning: 2026-04-29T16:55:13.054Z
Learnt from: CR
Repo: David-Crty/databasement PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-04-29T16:55:13.054Z
Learning: Applies to app/Livewire/**/*.php : Public properties in Livewire components are automatically bound to views.
Applied to files:
resources/views/livewire/configuration/index.blade.php
📚 Learning: 2026-01-30T22:27:46.107Z
Learnt from: David-Crty
Repo: David-Crty/databasement PR: 61
File: resources/views/livewire/volume/connectors/s3-config.blade.php:1-13
Timestamp: 2026-01-30T22:27:46.107Z
Learning: In Blade template files (any .blade.php) within the databasement project, allow using alert-info for informational content inside <x-alert> components. The guideline that permits alert-success and alert-error does not exclude using alert-info for informational purposes. Apply this consistently to all Blade components that render alerts; ensure semantic usage and accessibility.
Applied to files:
resources/views/livewire/configuration/index.blade.php
📚 Learning: 2026-02-06T10:34:43.585Z
Learnt from: David-Crty
Repo: David-Crty/databasement PR: 75
File: resources/views/livewire/backup-job/_filters.blade.php:36-40
Timestamp: 2026-02-06T10:34:43.585Z
Learning: In Blade template files, when creating compact inline filter controls, prefer using native <input type="checkbox"> elements with daisyUI classes (e.g., checkbox checkbox-warning checkbox-xs) over the Mary UI <x-checkbox> component. The <x-checkbox> component adds wrapper markup (e.g., <div><fieldset><label> with gap-3) that can break tight inline flex layouts. Use the native input approach for compact inline controls, but reserve <x-checkbox> for form fields that require labels, hints, and errors.
Applied to files:
resources/views/livewire/configuration/index.blade.php
🪛 PHPMD (2.15.0)
app/Services/adminer_object.php
[warning] 18-18: Avoid unused parameters such as '$creds'. (undefined)
(UnusedFormalParameter)
[warning] 32-32: Avoid unused parameters such as '$login'. (undefined)
(UnusedFormalParameter)
[warning] 32-32: Avoid unused parameters such as '$password'. (undefined)
(UnusedFormalParameter)
🔇 Additional comments (9)
app/Models/DatabaseServer.php (1)
204-208: Adminer support gate is clear and correctly scoped.This matches the expected compatibility constraints for Adminer access.
app/Models/User.php (1)
197-203: Role-threshold helper looks solid.The deny-by-default behavior for unknown roles is a good safety property.
app/Livewire/Forms/ConfigurationForm.php (1)
57-80: Application-config save flow is well-structured.Validation and key-mapped persistence are clean and consistent with the existing form pattern.
app/Policies/DatabaseServerPolicy.php (1)
65-77: Policy gate for Adminer is correctly centralized.Feature-flag plus minimum-role checks are in the right place.
app/Livewire/Configuration/Index.php (1)
144-151: Admin-only save action is implemented correctly.Guarding the action server-side before persisting is the right pattern.
resources/views/livewire/configuration/index.blade.php (1)
43-67: Application settings form wiring looks good.The conditional role selector and admin-only submit behavior are consistent with the server-side checks.
app/Livewire/DatabaseServer/Index.php (1)
135-150: Adminer open action flow is clean.Compatibility check, policy authorization, and modal dispatch are composed in the right order.
tests/Feature/Http/AdminerControllerTest.php (1)
14-134: Strong coverage for Adminer route gating and credential handoff.These tests cleanly verify feature toggles, role checks, unsupported server constraints, and
AdminerService::render()contract for first/subsequent requests. Nice addition.tests/Feature/ConfigurationTest.php (1)
62-79: Good addition of app-config persistence and authorization tests.
saveApplicationConfignow has direct coverage for both successful persistence and forbidden access paths.
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@app/Services/AdminerService.php`:
- Around line 63-69: The cache logic in AdminerService is wrong: it always uses
a static version=1 and blindly returns 304 for any HTTP_IF_MODIFIED_SINCE;
update the asset URL/version to use a real changing identifier (e.g., package
version or the asset file's mtime) instead of the hardcoded "1", compute the
asset's last-modified time via filemtime (or the Adminer package version
constant) and set Last-Modified/Expires based on that timestamp, and change the
conditional GET check (the block that reads $_SERVER['HTTP_IF_MODIFIED_SINCE']
and sends header('HTTP/1.1 304 Not Modified')) to parse the incoming
If-Modified-Since, compare it against the actual asset last-modified time and
only return 304 when the asset has not changed; update the code that builds the
rewritten URL/version and the header() calls in AdminerService so both use the
same real version/mtime.
- Around line 59-77: The current asset-serving block (preg_match on
$_GET['file'] and the final `@readfile` call in AdminerService.php) allows PHP
files like adminer.php to be served; update the preg_match to only allow the
expected asset extensions (e.g., restrict the capture group to css|js|gif|png),
then resolve the full path using $vendorAdminer.'/'.$_GET['file'] and verify
is_file() && is_readable() before calling readfile(); if the file is missing or
not readable return a 404 (header('HTTP/1.1 404 Not Found') and exit) instead of
attempting to stream, and remove the error suppression on readfile to ensure
failures are visible in logs.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: d1e05685-3a11-4195-9262-f23f27e49f09
⛔ Files ignored due to path filters (1)
composer.lockis excluded by!**/*.lock
📒 Files selected for processing (12)
.github/workflows/tests.ymlapp/Livewire/Configuration/Application.phpapp/Livewire/Forms/ConfigurationForm.phpapp/Models/DatabaseServer.phpapp/Models/User.phpapp/Services/AdminerService.phpbootstrap/app.phpresources/views/livewire/configuration/application.blade.phproutes/web.phptests/Feature/Configuration/ApplicationTest.phptests/Feature/Http/AdminerControllerTest.phptests/Feature/Livewire/DatabaseServer/IndexTest.php
✅ Files skipped from review due to trivial changes (2)
- bootstrap/app.php
- .github/workflows/tests.yml
🚧 Files skipped from review as they are similar to previous changes (6)
- app/Models/DatabaseServer.php
- app/Models/User.php
- routes/web.php
- tests/Feature/Http/AdminerControllerTest.php
- tests/Feature/Livewire/DatabaseServer/IndexTest.php
- app/Livewire/Forms/ConfigurationForm.php
📜 Review details
🧰 Additional context used
🧠 Learnings (9)
📚 Learning: 2026-01-30T22:27:46.107Z
Learnt from: David-Crty
Repo: David-Crty/databasement PR: 61
File: resources/views/livewire/volume/connectors/s3-config.blade.php:1-13
Timestamp: 2026-01-30T22:27:46.107Z
Learning: In Blade template files (any .blade.php) within the databasement project, allow using alert-info for informational content inside <x-alert> components. The guideline that permits alert-success and alert-error does not exclude using alert-info for informational purposes. Apply this consistently to all Blade components that render alerts; ensure semantic usage and accessibility.
Applied to files:
resources/views/livewire/configuration/application.blade.php
📚 Learning: 2026-02-06T10:34:43.585Z
Learnt from: David-Crty
Repo: David-Crty/databasement PR: 75
File: resources/views/livewire/backup-job/_filters.blade.php:36-40
Timestamp: 2026-02-06T10:34:43.585Z
Learning: In Blade template files, when creating compact inline filter controls, prefer using native <input type="checkbox"> elements with daisyUI classes (e.g., checkbox checkbox-warning checkbox-xs) over the Mary UI <x-checkbox> component. The <x-checkbox> component adds wrapper markup (e.g., <div><fieldset><label> with gap-3) that can break tight inline flex layouts. Use the native input approach for compact inline controls, but reserve <x-checkbox> for form fields that require labels, hints, and errors.
Applied to files:
resources/views/livewire/configuration/application.blade.php
📚 Learning: 2026-02-25T10:48:17.811Z
Learnt from: David-Crty
Repo: David-Crty/databasement PR: 132
File: app/Console/Commands/RecoverAgentLeasesCommand.php:44-48
Timestamp: 2026-02-25T10:48:17.811Z
Learning: When reviewing PHP code, especially with foreign keys that use cascadeOnDelete and are non-nullable, assume child relations exist at runtime (the database will delete children when the parent is deleted). Do not rely on null-safe operators for these relations, as PHPStan already models them as non-null. This guideline applies broadly to PHP files that define models with foreign keys using cascade delete; verify there are no unnecessary null checks or optional chaining on such relations.
Applied to files:
resources/views/livewire/configuration/application.blade.phpapp/Livewire/Configuration/Application.phptests/Feature/Configuration/ApplicationTest.phpapp/Services/AdminerService.php
📚 Learning: 2026-02-18T09:45:52.485Z
Learnt from: David-Crty
Repo: David-Crty/databasement PR: 116
File: app/Livewire/DatabaseServer/ConnectionStatus.php:18-18
Timestamp: 2026-02-18T09:45:52.485Z
Learning: In Livewire components, Eloquent model properties (e.g., public DatabaseServer $server) are automatically locked by the framework to prevent client-side ID tampering. The #[Locked] attribute is only needed for scalar properties (int, string, bool, etc.) that require protection from client-side mutation. Apply this guidance to all Livewire PHP components; use #[Locked] only on primitive properties that you want to shield from client manipulation, and rely on automatic locking for Eloquent model properties.
Applied to files:
app/Livewire/Configuration/Application.php
📚 Learning: 2026-05-06T10:46:47.009Z
Learnt from: David-Crty
Repo: David-Crty/databasement PR: 275
File: app/Models/User.php:188-216
Timestamp: 2026-05-06T10:46:47.009Z
Learning: In app/Models/User.php, the $cachedRoles cache is intentionally request-scoped to prevent N+1 queries during rendering. Pivot writes (attach() in app/Livewire/User/Create.php, updateExistingPivot() in app/Livewire/Forms/UserForm.php) are terminal within a request, and the cache is not read after a write in the same request. Do not flag missing cache invalidation after pivot writes as a bug; this design is intentional. When reviewing related changes in PHP files under app/, assume this cache pattern and do not raise invalidation issues for these flows.
Applied to files:
app/Livewire/Configuration/Application.phpapp/Services/AdminerService.php
📚 Learning: 2026-05-07T18:49:56.777Z
Learnt from: David-Crty
Repo: David-Crty/databasement PR: 275
File: app/Services/Backup/SnapshotVerificationService.php:38-41
Timestamp: 2026-05-07T18:49:56.777Z
Learning: In Laravel code analyzed with Larastan/PHPStan, when you write Eloquent relationship/query callbacks such as those passed to `whereHas`, `whereRelation`, etc. (e.g., `function ($sq) use (...) { ... }`), leave the closure parameters untyped. Avoid adding explicit type hints like `Builder $sq` or `Builder<Model>`, because Larastan’s Laravel-specific stubs typically rely on its own inferred/generic types and explicit hints can cause PHPStan/Larastan generic type-mismatch errors. Larastan should consider these closures correctly without explicit parameter type annotations.
Applied to files:
app/Livewire/Configuration/Application.phpapp/Services/AdminerService.php
📚 Learning: 2026-02-13T11:05:37.072Z
Learnt from: David-Crty
Repo: David-Crty/databasement PR: 105
File: tests/Feature/Services/Backup/Databases/SqliteDatabaseTest.php:8-11
Timestamp: 2026-02-13T11:05:37.072Z
Learning: Adopt a global afterEach hook in tests/Pest.php (or equivalent Pest bootstrap) to clean up temporary directories created during tests. Specifically handle temp dirs named with the prefixes sqlite-db-test-*, backup-task-test-*, restore-task-test-*, and volume-test-*, so individual test files don’t need their own cleanup logic. This applies to all PHP test files under the tests directory.
Applied to files:
tests/Feature/Configuration/ApplicationTest.php
📚 Learning: 2026-04-09T13:59:25.873Z
Learnt from: David-Crty
Repo: David-Crty/databasement PR: 205
File: tests/Feature/ConfigurationTest.php:165-176
Timestamp: 2026-04-09T13:59:25.873Z
Learning: In this repository, `Notification::fake()` is already performed globally in the base test class (`tests/TestCase.php`) within `setUp()` before each test. When reviewing individual test files under `tests/`, do not flag missing `Notification::fake()` calls, since they are handled by the shared base test setup.
Applied to files:
tests/Feature/Configuration/ApplicationTest.php
📚 Learning: 2026-05-05T23:16:24.464Z
Learnt from: David-Crty
Repo: David-Crty/databasement PR: 275
File: app/Services/CurrentOrganization.php:28-39
Timestamp: 2026-05-05T23:16:24.464Z
Learning: Enforce non-nullable return types for id(): string and model(): Organization in PHP service classes under app/Services. Ensure SetCurrentOrganization middleware always resolves an Organization in the web context before these methods are reached; do not reintroduce isResolved guards in callers. A null dereference due to a broken middleware chain is the intended failure signal, not silent null propagation. Document the contract in class docblocks and consider tests to verify the middleware guarantees.
Applied to files:
app/Services/AdminerService.php
🪛 OpenGrep (1.20.0)
app/Services/AdminerService.php
[ERROR] 28-28: Dynamic file path passed to include/require. This can lead to local or remote file inclusion. Use a fixed allowlist of paths.
(coderabbit.file-inclusion.php-dynamic-include)
[ERROR] 157-157: Dynamic file path passed to include/require. This can lead to local or remote file inclusion. Use a fixed allowlist of paths.
(coderabbit.file-inclusion.php-dynamic-include)
🪛 PHPMD (2.15.0)
app/Services/AdminerService.php
[warning] 97-97: Avoid unused parameters such as '$path'. (undefined)
(UnusedFormalParameter)
[warning] 97-97: Avoid unused parameters such as '$name'. (undefined)
(UnusedFormalParameter)
[warning] 122-122: Avoid unused parameters such as '$max_lifetime'. (undefined)
(UnusedFormalParameter)
🔇 Additional comments (11)
app/Livewire/Configuration/Application.php (4)
5-12: LGTM! Clean imports.All added imports are appropriately used throughout the component.
17-24: LGTM! Standard Livewire form pattern.The Toast trait and ConfigurationForm integration follow Livewire best practices.
26-39: LGTM! Excellent authorization pattern.The computed
isAdmin()property efficiently gates the UI, andsaveApplicationConfig()provides defense-in-depth with server-side authorization enforcement viaabort_unless. The separation of concerns (delegating to the form for save logic) is clean.
44-50: LGTM! Clean role options transformation.The mapping from
UserRole::assignable()to select-compatible options is concise and properly annotated.Also applies to: 93-93
resources/views/livewire/configuration/application.blade.php (4)
4-8: LGTM! Clear permission communication.The conditional subtitle effectively communicates edit restrictions to non-admin users.
26-30: LGTM! Proper Livewire form binding.The toggle uses reactive binding (
wire:model.live) and appropriately disables interaction for non-admins while maintaining backend authorization.
32-42: LGTM! Excellent security notice.The conditional role selector and warning alert effectively communicate the privilege implications of enabling Adminer. The warning about users inheriting database connection permissions is a critical security consideration.
45-54: LGTM! Clean conditional submit button.Rendering the submit button only for admins is more elegant than showing a disabled button, and the spinner provides good loading feedback.
tests/Feature/Configuration/ApplicationTest.php (3)
28-34: LGTM! Comprehensive default state test.The test properly verifies secure defaults: disabled by default (opt-in) and the most restrictive role (
admin).
36-46: LGTM! Thorough persistence test.The test properly verifies the complete save cycle from form input through to config persistence via the
AppConfigfacade.
48-53: LGTM! Essential authorization test.This test properly verifies the server-side authorization guard prevents non-admin users from modifying configuration.
|
David-Crty
force-pushed
the
feat/adminer-integration
branch
from
acbd84f to
fe48158
Compare
Adds the Adminer feature to the README features list, a short "Browsing Data with Adminer" section in the database servers guide, and an Adminer row in the permissions matrix. Surfaces a "New" badge next to the Database Browser toggle in the application configuration page, with a description that calls out the SSH tunnel and remote agent limitations. Adds optional badge support to the config-row component.
Use DatabaseServer::resolveDatabaseNames() so the auth pre-fill considers every backup on the server (not just the first), and assign $credentials directly to $_POST['auth'] instead of rebuilding the same array.
Extract the shared open-Adminer logic into an OpensAdminerForServer trait reused by Index and Show. When the feature is disabled but the caller is an admin, dispatch a promo modal (rendered by AdminerModal) that explains how to enable it and links to Configuration → Application, instead of returning 403. Non-admins keep the existing forbidden behavior.
Owner
Author
|
@coderabbitai full review |
✅ Action performedFull review finished. |
There was a problem hiding this comment.
Actionable comments posted: 3
🧹 Nitpick comments (5)
resources/css/adminer.css (1)
56-60: 💤 Low valueConsider clarifying this workaround comment.
The comment doesn't explain the root cause or what rendering issue it fixes. A brief note about why
position: staticis needed (e.g., conflict with Adminer's default sticky header inside the iframe) would help future maintainers.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@resources/css/adminer.css` around lines 56 - 60, Summary: The current comment above the thead rule is vague; update it to explain the rendering bug being worked around. Edit the comment that precedes the thead CSS rule to state that this rule overrides Adminer/third-party styles that set thead to position:sticky/fixed (which breaks header rendering inside our iframe/container), and that setting position: static with top:0 prevents duplicated or mis-positioned sticky headers when embedded; mention the affected selector (thead) and, if available, add a short reference to the originating bug/PR for future context.tests/Feature/Http/AdminerControllerTest.php (1)
63-105: ⚡ Quick winAdd a SQLite credential case.
AdminerController::buildCredentials()has a separate SQLite branch (driver => 'sqlite'and emptyserver), but this suite only asserts MySQL and PostgreSQL. A focused SQLite test would cover the third supported database type and its special-case payload. Based on learnings: "Test authorization (who can access what), business logic (core application behavior), integration points (external services, commands, scheduled tasks), and edge cases in your code. Use factories and tests instead of creating models directly."🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@tests/Feature/Http/AdminerControllerTest.php` around lines 63 - 105, Add a focused test for the SQLite branch of AdminerController::buildCredentials by creating an Admin user and a DatabaseServer factory with database_type 'sqlite', then mocking AdminerService::render to assert the credentials payload includes 'driver' => 'sqlite' and an empty 'server' value; set session('adminer_server_id', $server->id) and perform the actingAs($user)->get(route('adminer'))->assertOk() call so the special-case SQLite payload is covered (reference AdminerController::buildCredentials, AdminerService::render, and tests/Feature/Http/AdminerControllerTest.php).app/Livewire/Forms/ConfigurationForm.php (1)
60-66: ⚡ Quick winReuse
UserRole::validationRule()to avoid duplicating the assignable-role list.The enum already provides
validationRule()(returnsin:viewer,member,adminfromassignable()). Reusing it keeps the allowed-role set defined in one place ifassignable()ever changes.♻️ Proposed refactor
private function applicationRules(): array { return [ 'adminer_enabled' => ['boolean'], - 'adminer_role' => ['required', 'string', Rule::in(array_column(UserRole::assignable(), 'value'))], + 'adminer_role' => ['required', 'string', UserRole::validationRule()], ]; }If applied, the
Illuminate\Validation\Ruleimport (Line 8) becomes unused.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@app/Livewire/Forms/ConfigurationForm.php` around lines 60 - 66, Replace the hard-coded in: validation for adminer_role in applicationRules() by calling the enum's UserRole::validationRule() to reuse the assignable list (i.e. change the Rule::in(array_column(...)) usage to UserRole::validationRule()), and then remove the now-unused Illuminate\Validation\Rule import if it becomes unused; update the applicationRules() method to reference UserRole::validationRule() instead of duplicating assignable().app/Traits/OpensAdminerForServer.php (1)
24-25: ⚡ Quick winAuthorize before checking server support for consistent error messages.
Currently,
abort_unless($server->supportsAdminer(), 403)runs before$this->authorize('adminer', ...), which means unauthorized users receive a generic 403 when the server is unsupported, but an authorization error when it is supported. This inconsistency can confuse users and leak information about server capabilities before verifying permissions.Swap the order to match the pattern used in
AdminerController.php(lines 13-22 in context snippet), which authorizes first, then checks support.🔄 Suggested order
if (! AppConfig::get('app.adminer_enabled') && auth()->user()?->isAdmin()) { $this->dispatch('open-adminer-promo-modal'); return; } - abort_unless($server->supportsAdminer(), 403); $this->authorize('adminer', DatabaseServer::class); + abort_unless($server->supportsAdminer(), 403); session()->put('adminer_server_id', $server->id);🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@app/Traits/OpensAdminerForServer.php` around lines 24 - 25, Swap the authorization and support check so authorization runs first: call $this->authorize('adminer', DatabaseServer::class) before abort_unless($server->supportsAdminer(), 403). This ensures the authorize('adminer', DatabaseServer::class) check happens prior to invoking $server->supportsAdminer(), matching the pattern used in AdminerController and preventing capability leaks.app/Livewire/DatabaseServer/Show.php (1)
136-137: ⚖️ Poor tradeoffConsider extracting the promo eligibility check to reduce duplication.
The condition
! AppConfig::get('app.adminer_enabled') && (auth()->user()?->isAdmin() ?? false)is duplicated inapp/Traits/OpensAdminerForServer.phpat line 18. If this logic changes, both locations must be updated.Consider extracting to a helper method (e.g.,
AppConfig::canPromoteAdminer()orUser::canSeeAdminerPromo()) to ensure consistency.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@app/Livewire/DatabaseServer/Show.php` around lines 136 - 137, The duplicated promo-eligibility boolean (! AppConfig::get('app.adminer_enabled') && (auth()->user()?->isAdmin() ?? false)) should be extracted to a single helper method to avoid divergence; add a descriptive static helper such as AppConfig::canPromoteAdminer() or an instance helper like User::canSeeAdminerPromo() that encapsulates the AppConfig::get('app.adminer_enabled') check and auth()->user()?->isAdmin() call, then replace the inline expression in the Show class ('canPromoteAdminer') and in OpensAdminerForServer (line with the same expression) to call the new helper so both locations use the single source of truth.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@app/Livewire/DatabaseServer/AdminerModal.php`:
- Line 21: The public Livewire property AdminerModal::$adminerUrl is currently
writable from the client and must be protected; add the Livewire Locked
attribute to the property (e.g., annotate $adminerUrl with #[Locked]) so it
cannot be mutated by client payloads while still allowing server-side updates
via the existing openModal event listener; ensure you import the Locked
attribute (Livewire\Attributes\Locked) in AdminerModal.php and keep the property
type and initialization unchanged.
In `@docs/docs/user-guide/permissions.md`:
- Around line 30-33: Update the permissions matrix row for "Open Adminer" so the
Admin column is not always a ✅; change it to "configurable" (or add a clarifying
footnote) to reflect that Adminer access is off by default and gated by the
configurable minimum role (see the "Adminer access" explanation and the
"Configuration → Application" reference).
In `@tests/Feature/Http/AdminerControllerTest.php`:
- Around line 10-13: The shared beforeEach setup enables the Adminer feature but
doesn't set the required gate role, so tests rely on the app default; update the
beforeEach (where AppConfig::set('app.adminer_enabled', true) and the
AdminerService mock are configured) to also explicitly set
AppConfig::set('app.adminer_role', '<expected-role>') to the role the tests
should exercise (use the specific role string your tests expect) so the
controller gate checks run deterministically.
---
Nitpick comments:
In `@app/Livewire/DatabaseServer/Show.php`:
- Around line 136-137: The duplicated promo-eligibility boolean (!
AppConfig::get('app.adminer_enabled') && (auth()->user()?->isAdmin() ?? false))
should be extracted to a single helper method to avoid divergence; add a
descriptive static helper such as AppConfig::canPromoteAdminer() or an instance
helper like User::canSeeAdminerPromo() that encapsulates the
AppConfig::get('app.adminer_enabled') check and auth()->user()?->isAdmin() call,
then replace the inline expression in the Show class ('canPromoteAdminer') and
in OpensAdminerForServer (line with the same expression) to call the new helper
so both locations use the single source of truth.
In `@app/Livewire/Forms/ConfigurationForm.php`:
- Around line 60-66: Replace the hard-coded in: validation for adminer_role in
applicationRules() by calling the enum's UserRole::validationRule() to reuse the
assignable list (i.e. change the Rule::in(array_column(...)) usage to
UserRole::validationRule()), and then remove the now-unused
Illuminate\Validation\Rule import if it becomes unused; update the
applicationRules() method to reference UserRole::validationRule() instead of
duplicating assignable().
In `@app/Traits/OpensAdminerForServer.php`:
- Around line 24-25: Swap the authorization and support check so authorization
runs first: call $this->authorize('adminer', DatabaseServer::class) before
abort_unless($server->supportsAdminer(), 403). This ensures the
authorize('adminer', DatabaseServer::class) check happens prior to invoking
$server->supportsAdminer(), matching the pattern used in AdminerController and
preventing capability leaks.
In `@resources/css/adminer.css`:
- Around line 56-60: Summary: The current comment above the thead rule is vague;
update it to explain the rendering bug being worked around. Edit the comment
that precedes the thead CSS rule to state that this rule overrides
Adminer/third-party styles that set thead to position:sticky/fixed (which breaks
header rendering inside our iframe/container), and that setting position: static
with top:0 prevents duplicated or mis-positioned sticky headers when embedded;
mention the affected selector (thead) and, if available, add a short reference
to the originating bug/PR for future context.
In `@tests/Feature/Http/AdminerControllerTest.php`:
- Around line 63-105: Add a focused test for the SQLite branch of
AdminerController::buildCredentials by creating an Admin user and a
DatabaseServer factory with database_type 'sqlite', then mocking
AdminerService::render to assert the credentials payload includes 'driver' =>
'sqlite' and an empty 'server' value; set session('adminer_server_id',
$server->id) and perform the actingAs($user)->get(route('adminer'))->assertOk()
call so the special-case SQLite payload is covered (reference
AdminerController::buildCredentials, AdminerService::render, and
tests/Feature/Http/AdminerControllerTest.php).
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 5a55e45f-3192-4684-8f33-81257aa0ba38
⛔ Files ignored due to path filters (1)
composer.lockis excluded by!**/*.lock
📒 Files selected for processing (31)
README.mdapp/Enums/UserRole.phpapp/Http/Controllers/Web/AdminerController.phpapp/Livewire/Configuration/Application.phpapp/Livewire/DatabaseServer/AdminerModal.phpapp/Livewire/DatabaseServer/Index.phpapp/Livewire/DatabaseServer/Show.phpapp/Livewire/Forms/ConfigurationForm.phpapp/Models/DatabaseServer.phpapp/Models/User.phpapp/Policies/DatabaseServerPolicy.phpapp/Services/AdminerService.phpapp/Services/AppConfigService.phpapp/Services/adminer_object.phpapp/Traits/OpensAdminerForServer.phpbootstrap/app.phpcomposer.jsondocs/docs/user-guide/database-servers.mddocs/docs/user-guide/permissions.mdphpstan.neonresources/css/adminer.cssresources/views/components/config-row.blade.phpresources/views/livewire/configuration/application.blade.phpresources/views/livewire/database-server/adminer-modal.blade.phpresources/views/livewire/database-server/index.blade.phpresources/views/livewire/database-server/show.blade.phproutes/web.phptests/Feature/Configuration/ApplicationTest.phptests/Feature/Http/AdminerControllerTest.phptests/Feature/Livewire/DatabaseServer/IndexTest.phpvite.config.js
Flip the app.adminer_enabled default to true (role default stays admin) so the Database Browser is discoverable out of the box for Admins. Remove the promo modal flow and its plumbing (AdminerModal $isPromo branch, canPromoteAdminer in Index/Show, dedicated trait branch and event) — when the feature is disabled it now simply 403s as before. Tests that depended on the previous false default now set the flag explicitly. Docs updated.
- Lock AdminerModal::$adminerUrl to prevent client-side mutation of the iframe src. - Reuse UserRole::validationRule() for adminer_role validation instead of duplicating the assignable list (drops the now-unused Rule import). - Authorize the adminer gate before checking supportsAdminer() in the OpensAdminerForServer trait, matching AdminerController's order.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
dg/adminer-customvia Composer and serves it through a Laravel controller with session-based credential passingArchitecture
AdminerController— handles auto-login by setting$_POST['auth']on initial load, delegates to serviceAdminerService— resolves Vite CSS path, serves static assets, configures output buffering, includesadminer.phpadminer_object.php— global-namespace function required by Adminer for auto-login, iframe headers (X-Frame-Options: SAMEORIGIN), and custom CSSAdminerModal— Livewire component with fullscreen overlay + iframeresources/css/adminer.css— Vite entry that imports vendor CSS and adds overrides (modern font, rounded inputs, uppercase table headers, hidden branding)/adminerroute (Adminer has its own form handling)Test plan
Summary by CodeRabbit
Release Notes
New Features
Documentation