动作方法

未匹配的标注
本文档最新版为 2.x,旧版本可能放弃维护,推荐阅读最新版!

Livewire Action 其实就是组件上的方法,可以通过前端交互(例如单击按钮或提交表单)触发。 它们为开发人员提供了能够直接从浏览器调用 PHP 方法的途径,使您能够专注于应用程序的逻辑,而不必编写服务端与客户端连接交互的重复代码。

让我们探讨一下在 “CreatePost” 组件上调用 “save” 操作的基本示例:

<?php

namespace App\Livewire;

use Livewire\Component;
use App\Models\Post;

class CreatePost extends Component
{
    public $title = '';

    public $content = '';

    public function save()
    {
        Post::create([
            'title' => $this->title,
            'content' => $this->content,
        ]);

        return redirect()->to('/posts');
    }

    public function render()
    {
        return view('livewire.create-post');
    }
}
<form wire:submit="save"> <!-- [tl! highlight] -->
    <input type="text" wire:model="title">

    <textarea wire:model="content"></textarea>

    <button type="submit">Save</button>
</form>

在上面的示例中,当用户通过单击“保存”提交表单时,wire:submit 会拦截 “submit” 事件并调用服务器上的 “save()” 操作。

从本质上讲,操作可以轻松将用户交互提交到服务器端,而无需手动提交和处理 AJAX 请求。

事件监听器

Livewire 支持各种事件监听器,使您能够响应各种类型的用户交互:

Listener Description
wire:click 点击触发
wire:submit 表单提交触发
wire:keydown 键盘按键按下触发
wire:mouseenter 当鼠标进入元素时触发
wire:* wire: 后面的任何文本都将用作监听器的事件名称

由于 wire: 后面的事件名称可以是任何名称,因此 Livewire 支持您可能需要侦听的任何浏览器事件。 例如,要监听 transitionend,您可以使用 wire:transitionend

监听特定的按键

您可以使用 Livewire 的别名指定监听的事件。

例如,要在用户在搜索框中键入内容后按“Enter”键时执行搜索,您可以使用 wire:keydown.enter

<input wire:model="query" wire:keydown.enter="searchPosts">

您可以在别名之后拼接更多的按键别名来监听按键组合。 如果您想监听 Shift 键和 Enter 键同时按下,则可以编写以下内容:

<input wire:keydown.shift.enter="...">

以下是所有可以使用的按键别名:

Modifier Key
.shift Shift
.enter Enter
.space Space
.ctrl Ctrl
.cmd Cmd
.meta Cmd on Mac, Windows key on Windows
.alt Alt
.up Up arrow
.down Down arrow
.left Left arrow
.right Right arrow
.escape Escape
.tab Tab
.caps-lock Caps Lock
.equal Equal, =
.period Period, .
.slash Forward Slash, /

事件修饰符

Livewire also includes helpful modifiers to make common event-handling tasks trivial.

For example, if you need to call event.preventDefault() from inside an event listener, you can suffix the event name with .prevent:

<input wire:keydown.prevent="...">

以下是所有可用事件监听器修饰符及其功能的完整列表:

Modifier Key
.prevent 等同于 .preventDefault()
.stop 等同于 .stopPropagation()
.window 监听 window 对象上的事件
.outside 只监听元素外部的点击
.document 监听 document 对象上的事件
.once 确保监听器仅被调用一次
.debounce 默认情况下,处理程序防抖延迟 250 毫秒
.debounce.100ms 防抖延迟指定为100毫秒
.throttle 将处理程序限制为至少每 250 毫秒调用一次
.throttle.100ms 将处理程序限制为至少每 100 毫秒调用一次
.self 仅当事件源自此元素而不是子元素时才调用侦听器
.camel 将事件名称转换为驼峰式大小写 (wire:custom-event -> “customEvent”)
.dot 将事件名称转换为点链接 (wire:custom-event -> “custom.event”)
.passive wire:touchstart.passive 不会阻止滚动性能
.capture 在“capturing”阶段监听事件

因为 wire: 在底层使用了 Alpine 的 x-on 指令,所以这些修饰符由 Alpine 提供给您。 有关何时应使用这些修饰符的更多背景信息,请参阅 Alpine Events 文档

处理第三方事件

Livewire 还支持监听第三方库触发的自定义事件。

例如,假设您在项目中使用 Trix 富文本编辑器,并且您想要监听 trix-change 事件来捕获编辑器的内容。 您可以使用 wire:trix-change 指令来完成此操作:

<form wire:submit="save">
    <!-- ... -->

    <trix-editor
        wire:trix-change="setPostContent($event.target.value)"
    ></trix-editor>

    <!-- ... -->
</form>

在此示例中,只要触发 trix-change事件,就会调用 setPostContent 操作,从而将 Livewire 组件中的conten 属性的当前值更新为 Trix 编辑器的内容。

您可以使用 $event 访问事件对象
在 Livewire 事件处理程序中,您可以通过 $event 访问事件对象。 这对于调试有关事件的信息很有用。 例如,您可以通过$event.target 访问触发事件的元素。

上面的 Trix 演示代码不完整,仅用作事件侦听器的演示。 如果逐字使用,每次按键都会触发网络请求。 更高效的实现是:

<trix-editor
   x-on:trix-change="$wire.content = $event.target.value"
></trix-editor>

监听发送的自定义事件

也可以使用 Livewire 监听从 Alpine 触发的自定义事件:

<div wire:custom-event="...">

    <!-- Deeply nested within this component: -->
    <button x-on:click="$dispatch('custom-event')">...</button>

</div>

单击示例中的按钮时,将触发 custom-event 事件并向上冒泡到 Livewire 组件的根部,其中 wire:custom-event 将捕获该事件并调用指定操作。

如果您想侦听应用程序中其他地方分派的事件,则需要等待事件冒泡到 window 对象并在那里监听。 幸运的是,Livewire 允许您向任何事件监听器添加简单的 .window 修饰符:

<div wire:custom-event.window="...">
    <!-- ... -->
</div>

<!-- Dispatched somewhere on the page outside the component: -->
<button x-on:click="$dispatch('custom-event')">...</button>

提交表单时禁用输入

还是之前的“CreatePost”示例:

<form wire:submit="save">
    <input wire:model="title">

    <textarea wire:model="content"></textarea>

    <button type="submit">Save</button>
</form>

当用户单击“save”时,网络请求将发送到服务器以调用 Livewire 组件上的“save()”操作。

但当网络高延迟时,提交表单不会有任何反应,用户可能在第一个请求没结束时再次点击保存按钮。

在这种情况下,将同时处理同一操作的两个请求。

为了防止这种情况,Livewire 在处理 wire:submit 操作时会自动禁用 <form> 元素内的提交按钮和所有表单输入。 这可确保表单不会意外提交两次。

为了进一步减少网络速度较慢的用户的困惑,显示一些加载指示器(例如微妙的背景颜色变化或 SVG 动画)通常很有帮助。

Livewire 提供了一个 wire:loading 指令,可以轻松地在页面上的任何位置显示和隐藏加载指示器。 以下是使用 wire:loading 在“保存”按钮下方显示加载消息的简短示例:

<form wire:submit="save">
    <textarea wire:model="content"></textarea>

    <button type="submit">Save</button>

    <span wire:loading>Saving...</span> <!-- [tl! highlight] -->
</form>

wire:loading is a powerful feature with a variety of more powerful features. Check out the full loading documentation for more information.

Passing parameters

Livewire allows you to pass parameters from your Blade template to the actions in your component, giving you the opportunity to provide an action additional data or state from the frontend when the action is called.

For example, let’s imagine you have a ShowPosts component that allows users to delete a post. You can pass the post’s ID as a parameter to the delete() action in your Livewire component. Then, the action can fetch the relevant post and delete it from the database:

<?php

namespace App\Livewire;

use Illuminate\Support\Facades\Auth;
use Livewire\Component;
use App\Models\Post;

class ShowPosts extends Component
{
    public function delete($id)
    {
        $post = Post::findOrFail($id);

        $this->authorize('delete', $post);

        $post->delete();
    }

    public function render()
    {
        return view('livewire.show-posts', [
            'posts' => Auth::user()->posts,
        ]);
    }
}
<div>
    @foreach ($posts as $post)
        <div wire:key="{{ $post->id }}">
            <h1>{{ $post->title }}</h1>
            <span>{{ $post->content }}</span>

            <button wire:click="delete({{ $post->id }})">Delete</button> <!-- [tl! highlight] -->
        </div>
    @endforeach
</div>

For a post with an ID of 2, the “Delete” button in the Blade template above will render in the browser as:

<button wire:click="delete(2)">Delete</button>

When this button is clicked, the delete() method will be called and $id will be passed in with a value of “2”.

[!warning] Don’t trust action parameters
Action parameters should be treated just like HTTP request input, meaning action parameter values should not be trusted. You should always authorize ownership of an entity before updating it in the database.

For more information, consult our documentation regarding security concerns and best practices.

As an added convenience, you may automatically resolve Eloquent models by a corresponding model ID that is provided to an action as a parameter. This is very similar to route model binding. To get started, type-hint an action parameter with a model class and the appropriate model will automatically be retrieved from the database and passed to the action instead of the ID:

<?php

namespace App\Livewire;

use Illuminate\Support\Facades\Auth;
use Livewire\Component;
use App\Models\Post;

class ShowPosts extends Component
{
    public function delete(Post $post) // [tl! highlight]
    {
        $this->authorize('delete', $post);

        $post->delete();
    }

    public function render()
    {
        return view('livewire.show-posts', [
            'posts' => Auth::user()->posts,
        ]);
    }
}

Dependency injection

You can take advantage of Laravel’s dependency injection system by type-hinting parameters in your action’s signature. Livewire and Laravel will automatically resolve the action’s dependencies from the container:

<?php

namespace App\Livewire;

use Illuminate\Support\Facades\Auth;
use Livewire\Component;
use App\Repositories\PostRepository;

class ShowPosts extends Component
{
    public function delete(PostRepository $posts, $postId) // [tl! highlight]
    {
        $posts->deletePost($postId);
    }

    public function render()
    {
        return view('livewire.show-posts', [
            'posts' => Auth::user()->posts,
        ]);
    }
}
<div>
    @foreach ($posts as $post)
        <div wire:key="{{ $post->id }}">
            <h1>{{ $post->title }}</h1>
            <span>{{ $post->content }}</span>

            <button wire:click="delete({{ $post->id }})">Delete</button> <!-- [tl! highlight] -->
        </div>
    @endforeach
</div>

In this example, the delete() method receives an instance of PostRepository resolved via Laravel’s service container before receiving the provided $postId parameter.

Calling actions from Alpine

Livewire integrates seamlessly with Alpine. In fact, under the hood, every Livewire component is also an Alpine component. This means you can take full advantage of Alpine within your components to add JavaScript powered client-side interactivity.

To make this pairing even more powerful, Livewire exposes a magic $wire object to Alpine that can be treated as a JavaScript representation of your PHP component. In addition to accessing and mutating public properties via $wire, you can call actions. When an action is invoked on the $wire object, the corresponding PHP method will be invoked on your backend Livewire component:

<button x-on:click="$wire.save()">Save Post</button>

Or, to illustrate a more complex example, you might use Alpine’s x-intersect utility to trigger a incrementViewCount() Livewire action when a given element is visible on the page:

<div x-intersect="$wire.incrementViewCount()">...</div>

Passing parameters

Any parameters you pass to the $wire method will also be passed to the PHP class method. For example, consider the following Livewire action:

public function addTodo($todo)
{
    $this->todos[] = $todo;
}

Within your component’s Blade template, you can invoke this action via Alpine, providing the parameter that should be given to the action:

<div x-data="{ todo: '' }">
    <input type="text" x-model="todo">

    <button x-on:click="$wire.addTodo(todo)">Add Todo</button>
</div>

If a user had typed in “Take out the trash” into the text input and the pressed the “Add Todo” button, the addTodo() method will be triggered with the $todo parameter value being “Take out the trash”.

Receiving return values

For even more power, invoked $wire actions return a promise while the network request is processing. When the server response is received, the promise resolves with the value returned by the backend action.

For example, consider a Livewire component that has the following action:

use App\Models\Post;

public function getPostCount()
{
    return Post::count();
}

Using $wire, the action may be invoked and its returned value resolved:

<span x-text="await $wire.getPostCount()"></span>

In this example, if the getPostCount() method returns “10”, the <span> tag will also contain “10”.

Alpine knowledge is not required when using Livewire; however, it’s an extremely powerful tool and knowing Alpine will augment your Livewire experience and productivity.

Livewire’s “hybrid” JavaScript functions

Sometimes there are actions in your component that don’t need to communicate with the server and can be more efficiently written using only JavaScript.

In these cases, rather than writing the actions inside your Blade template or another file, your component action may return the JavaScript function as a string. If the action is marked with the #[Js] attribute, it will be callable from your application’s frontend:

For example:

<?php

namespace App\Livewire;

use Livewire\Attributes\Js;
use Livewire\Component;
use App\Models\Post;

class SearchPosts extends Component
{
    public $query = '';

    #[Js] // [tl! highlight:6]
    public function reset()
    {
        return <<<'JS'
            $wire.query = '';
        JS;
    }

    public function render()
    {
        return view('livewire.search-posts', [
            'posts' => Post::whereTitle($this->query)->get(),
        ]);
    }
}
<div>
    <input wire:model.live="query">

    <button wire:click="reset">Reset Search</button> <!-- [tl! highlight] -->

    @foreach ($posts as $post)
        <!-- ... -->
    @endforeach
</div>

In the above example, when the “Reset Search” button is pressed, the text input will be cleared without sending any requests to the server.

Evaluating one-off JavaScript expressions

In addition to designating entire methods to be evaluated in JavaScript, you can use the js() method to evaluate smaller, individual expressions.

This is generally useful for performing some kind of client-side follow-up after a server-side action is performed.

For example, here is an example of a CreatePost component that triggers a client-side alert dialog after the post is saved to the database:

<?php

namespace App\Livewire;

use Livewire\Component;

class CreatePost extends Component
{
    public $title = '';

    public function save()
    {
        // ...

        $this->js("alert('Post saved!')"); // [tl! highlight:6]
    }
}

The JavaScript expression alert('Post saved!') will now be executed on the client after the post has been saved to the database on the server.

Just like #[Js] methods, you can access the current component’s $wire object inside the expression.

Magic actions

Livewire provides a set of “magic” actions that allow you to perform common tasks in your components without defining custom methods. These magic actions can be used within event listeners defined in your Blade templates.

$parent

The $parent magic variable allows you to access parent component properties and call parent component actions from a child component:

<button wire:click="$parent.removePost({{ $post->id }})">Remove</button>

In the above example, if a parent component has a removePost() action, a child can call it directly from its Blade template using $parent.removePost().

$set

The $set magic action allows you to update a property in your Livewire component directly from the Blade template. To use $set, provide the property you want to update and the new value as arguments:

<button wire:click="$set('query', '')">Reset Search</button>

In this example, when the button is clicked, a network request is dispatched that sets the $query property in the component to ''.

$refresh

The $refresh action triggers a re-render of your Livewire component. This can be useful when updating the component’s view without changing any property values:

<button wire:click="$refresh">Refresh</button>

When the button is clicked, the component will re-render, allowing you to see the latest changes in the view.

$toggle

The $toggle action is used to toggle the value of a boolean property in your Livewire component:

<button wire:click="$toggle('sortAsc')">
    Sort {{ $sortAsc ? 'Descending' : 'Ascending' }}
</button>

In this example, when the button is clicked, the $sortAsc property in the component will toggle between true and false.

$dispatch

The $dispatch action allows you to dispatch a Livewire event directly in the browser. Below is an example of a button that, when clicked, will dispatch the post-deleted event:

<button type="submit" wire:click="$dispatch('post-deleted')">Delete Post</button>

$event

The $event action may be used within event listeners like wire:click. This action gives you access to the actual JavaScript event that was triggered, allowing you to reference the triggering element and other relevant information:

<input type="text" wire:keydown.enter="search($event.target.value)">

When the enter key is pressed while a user is typing in the input above, the contents of the input will be passed as a parameter to the search() action.

Using magic actions from Alpine

You can also call magic actions from Alpine using the $wire object. For example, you may use the $wire object to invoke the $refresh magic action:

<button x-on:click="$wire.$refresh()">Refresh</button>

Skipping re-renders

Sometimes there might be an action in your component with no side effects that would change the rendered Blade template when the action is invoked. If so, you can skip the render portion of Livewire’s lifecycle by adding the #[Renderless] attribute above the action method.

To demonstrate, in the ShowPost component below, the “view count” is logged when the user has scrolled to the bottom of the post:

<?php

namespace App\Livewire;

use Livewire\Attributes\Renderless;
use Livewire\Component;
use App\Models\Post;

class ShowPost extends Component
{
    public Post $post;

    public function mount(Post $post)
    {
        $this->post = $post;
    }

    #[Renderless] // [tl! highlight]
    public function incrementViewCount()
    {
        $this->post->incrementViewCount();
    }

    public function render()
    {
        return view('livewire.show-post');
    }
}
<div>
    <h1>{{ $post->title }}</h1>
    <p>{{ $post->content }}</p>

    <div x-intersect="$wire.incrementViewCount()"></div>
</div>

The example above uses x-intersect, an Alpine utility that calls the expression when the element enters the viewport (typically used to detect when a user scrolls to an element further down the page).

As you can see, when a user scrolls to the bottom of the post, incrementViewCount() is invoked. Since #[Renderless] was added to the action, the view is logged, but the template doesn’t re-render and no part of the page is affected.

If you prefer to not utilize method attributes or need to conditionally skip rendering, you may invoke the skipRender() method in your component action:

<?php

namespace App\Livewire;

use Livewire\Component;
use App\Models\Post;

class ShowPost extends Component
{
    public Post $post;

    public function mount(Post $post)
    {
        $this->post = $post;
    }

    public function incrementViewCount()
    {
        $this->post->incrementViewCount();

        $this->skipRender(); // [tl! highlight]
    }

    public function render()
    {
        return view('livewire.show-post');
    }
}

Security concerns

Remember that any public method in your Livewire component can be called from the client-side, even without an associated wire:click handler that invokes it. In these scenarios, users can still trigger the action from the browser’s DevTools.

Below are three examples of easy-to-miss vulnerabilities in Livewire components. Each will show the vulnerable component first and the secure component after. As an exercise, try spotting the vulnerabilities in the first example before viewing the solution.

If you are having difficulty spotting the vulnerabilities and that makes you concerned about your ability to keep your own applications secure, remember all these vulnerabilities apply to standard web applications that use requests and controllers. If you use a component method as a proxy for a controller method, and its parameters as a proxy for request input, you should be able to apply your existing application security knowledge to your Livewire code.

Always authorize action parameters

Just like controller request input, it’s imperative to authorize action parameters since they are arbitrary user input.

Below is a ShowPosts component where users can view all their posts on one page. They can delete any post they like using one of the post’s “Delete” buttons.

Here is a vulnerable version of component:

<?php

namespace App\Livewire;

use Illuminate\Support\Facades\Auth;
use Livewire\Component;
use App\Models\Post;

class ShowPosts extends Component
{
    public function delete($id)
    {
        $post = Post::find($id);

        $post->delete();
    }

    public function render()
    {
        return view('livewire.show-posts', [
            'posts' => Auth::user()->posts,
        ]);
    }
}
<div>
    @foreach ($posts as $post)
        <div wire:key="{{ $post->id }}">
            <h1>{{ $post->title }}</h1>
            <span>{{ $post->content }}</span>

            <button wire:click="delete({{ $post->id }})">Delete</button>
        </div>
    @endforeach
</div>

Remember that a malicious user can call delete() directly from a JavaScript console, passing any parameters they would like to the action. This means that a user viewing one of their posts can delete another user’s post by passing the un-owned post ID to delete().

To protect against this, we need to authorize that the user owns the post about to be deleted:

<?php

namespace App\Livewire;

use Illuminate\Support\Facades\Auth;
use Livewire\Component;
use App\Models\Post;

class ShowPosts extends Component
{
    public function delete($id)
    {
        $post = Post::find($id);

        $this->authorize('delete', $post); // [tl! highlight]

        $post->delete();
    }

    public function render()
    {
        return view('livewire.show-posts', [
            'posts' => Auth::user()->posts,
        ]);
    }
}

Always authorize server-side

Like standard Laravel controllers, Livewire actions can be called by any user, even if there isn’t an affordance for invoking the action in the UI.

Consider the following BrowsePosts component where any user can view all the posts in the application, but only administrators can delete a post:

<?php

namespace App\Livewire;

use Livewire\Component;
use App\Models\Post;

class BrowsePosts extends Component
{
    public function deletePost($id)
    {
        $post = Post::find($id);

        $post->delete();
    }

    public function render()
    {
        return view('livewire.browse-posts', [
            'posts' => Post::all(),
        ]);
    }
}
<div>
    @foreach ($posts as $post)
        <div wire:key="{{ $post->id }}">
            <h1>{{ $post->title }}</h1>
            <span>{{ $post->content }}</span>

            @if (Auth::user()->isAdmin())
                <button wire:click="deletePost({{ $post->id }})">Delete</button>
            @endif
        </div>
    @endforeach
</div>

As you can see, only administrators can see the “Delete” button; however, any user can call deletePost() on the component from the browser’s DevTools.

To patch this vulnerability, we need to authorize the action on the server like so:

<?php

namespace App\Livewire;

use Illuminate\Support\Facades\Auth;
use Livewire\Component;
use App\Models\Post;

class BrowsePosts extends Component
{
    public function deletePost($id)
    {
        if (! Auth::user()->isAdmin) { // [tl! highlight:2]
            abort(403);
        }

        $post = Post::find($id);

        $post->delete();
    }

    public function render()
    {
        return view('livewire.browse-posts', [
            'posts' => Post::all(),
        ]);
    }
}

With this change, only administrators can delete a post from this component.

Keep dangerous methods protected or private

Every public method inside your Livewire component is callable from the client. Even methods you haven’t referenced inside a wire:click handler. To prevent a user from calling a method that isn’t intended to be callable client-side, you should mark them as protected or private. By doing so, you restrict the visibility of that sensitive method to the component’s class and its subclasses, ensuring they cannot be called from the client-side.

Consider the BrowsePosts example that we previously discussed, where users can view all posts in your application, but only administrators can delete posts. In the Always authorize server-side section, we made the action secure by adding server-side authorization. Now imagine we refactor the actual deletion of the post into a dedicated method like you might do in order to simplify your code:

// Warning: This snippet demonstrates what NOT to do...
<?php

namespace App\Livewire;

use Illuminate\Support\Facades\Auth;
use Livewire\Component;
use App\Models\Post;

class BrowsePosts extends Component
{
    public function deletePost($id)
    {
        if (! Auth::user()->isAdmin) {
            abort(403);
        }

        $this->delete($id); // [tl! highlight]
    }

    public function delete($postId)  // [tl! highlight:5]
    {
        $post = Post::find($postId);

        $post->delete();
    }

    public function render()
    {
        return view('livewire.browse-posts', [
            'posts' => Post::all(),
        ]);
    }
}
<div>
    @foreach ($posts as $post)
        <div wire:key="{{ $post->id }}">
            <h1>{{ $post->title }}</h1>
            <span>{{ $post->content }}</span>

            <button wire:click="deletePost({{ $post->id }})">Delete</button>
        </div>
    @endforeach
</div>

As you can see, we refactored the post deletion logic into a dedicated method named delete(). Even though this method isn’t referenced anywhere in our template, if a user gained knowledge of its existence, they would be able to call it from the browser’s DevTools because it is public.

To remedy this, we can mark the method as protected or private. Once the method is marked as protected or private, an error will be thrown if a user tries to invoke it:

<?php

namespace App\Livewire;

use Illuminate\Support\Facades\Auth;
use Livewire\Component;
use App\Models\Post;

class BrowsePosts extends Component
{
    public function deletePost($id)
    {
        if (! Auth::user()->isAdmin) {
            abort(403);
        }

        $this->delete($id);
    }

    protected function delete($postId) // [tl! highlight]
    {
        $post = Post::find($postId);

        $post->delete();
    }

    public function render()
    {
        return view('livewire.browse-posts', [
            'posts' => Post::all(),
        ]);
    }
}

本文章首发在 LearnKu.com 网站上。

上一篇 下一篇
《L02 从零构建论坛系统》
以构建论坛项目 LaraBBS 为线索,展开对 Laravel 框架的全面学习。应用程序架构思路贴近 Laravel 框架的设计哲学。
《L01 基础入门》
我们将带你从零开发一个项目并部署到线上,本课程教授 Web 开发中专业、实用的技能,如 Git 工作流、Laravel Mix 前端工作流等。
讨论数量: 0
发起讨论 只看当前版本


暂无话题~