Accessing media using index or id when referencing it in frontend?

[hebinet]

Hello, recently I spoke with another developer, and he said that he only uses an index to reference elements in a media collection when accessing them from the frontend.

To me, it would actually make more sense to use the ID or UUID of the Media model instead.

He argued that using the index is safer, since database IDs shouldn’t be exposed publicly for security reasons.

For example, if I use the following Livewire component:

@foreach($images as $index=>$media)
<div wire:click="removeImage('{{ $index }}')">nice button here</div>
@endforeach

public function removeImage(int $index): void
    {
        $media = $this->user->getMedia('wallpapers')[$index] ?? null;
        if ($media) {
            $media->delete();
        }
    }

Since the ->getMedia('wallpapers') function already filters the images belonging to the user, the collection might contain only three elements, for instance.

Accessing them by index would potentially make it possible to simply loop from 0 to n and delete all of the user’s “wallpapers.”

However, if you use ID or UUID instead, the attack vector would be much smaller — it would require far more random guessing before someone could actually delete another image especially when using the UUID.

For example:

@foreach($images as $media)
<div wire:click="removeImage('{{ $media->id }}')">nice button here</div>
@endforeach

public function removeImage(int $mediaId): void
    {
        $media = $this->user->getMedia('wallpapers')->filter(fn($file) => $file->id===$mediaId);
        if ($media) {
            $media->delete();
        }
    }
// Replacing ->id with ->uuid would be even more secure

When I mentioned this, the developer told me that you should never expose database IDs publicly, and that according to the Spatie documentation ( https://spatie.be/docs/laravel-medialibrary/v11/basic-usage/retrieving-media ), using index access is recommended.

Is that really the recommended approach?
No matter how often I think about it, my gut feeling tells me that using IDs or UUIDs for referencing would make more sense.

[hebinet]

Any ideas or reommendations?