North Meets South Web Podcast

Jake and Michael dive into a wide range of topics, from coding practices in Laravel to the evolving role of AI in software development. They kick things off with daylight savings and weekend updates before moving into technical discussions on authorization, policies, and form requests in Laravel.

The conversation expands to cover recent changes in middleware and controller patterns, contextual attributes in the service container, and practical approaches to request validation.

Later, the focus shifts toward AI tools like Claude, Grok, and Cursor, including their strengths, frustrations, and industry-wide adoption pressures. We reflect on the uneasy balance between developer control and AI assistance, wrapping up with thoughts on productivity, value, and what it means to let machines write code.

Show links

Creators and Guests

Host

Jake Bennett

Christ follower, software dev @wilbergroup using @laravelphp. Co-host of @northsouthaudio and @laravelnews with @michaeldyrynda

Host

Michael Dyrynda

Dad. @laravelphp Artisan. @LaraconAU organiser. Co-host of @northsouthaudio, @laravelnews, @ripplesfm. Opinions are mine.

What is North Meets South Web Podcast?

Jake Bennett and Michael Dyrynda conquer a 14.5 hour time difference to talk about life as web developers

-Hey. I'm Michael Dyrynda.
-And I'm Jake Bennett.

And welcome to episode 183 of the North
Meet South Web Podcast.

Hello, friends. It is once again that time
of the week. It is Monday

night, and, uh, it's dark out. And it's
been dark for, like, the last five

hours. I'm not digging this thing. And the
thing is, I know it's gonna get even

worse because

shortly they're gonna change the time to
be an hour... It's gonna start getting

-dark at, like, 4:00 instead of 5:00.
-Mm-hmm.

Oh, I just hate this time of year. No fun,
dude. No fun.

-Are you-
-And y-

Are you getting rid of daylight savings?
Is that what's happening?

-Uh, you know what, man?
-Or is that still-

I feel like they've been put... I feel
like they've been teasing us with this for

-forever.
-Right. Yeah, yeah.

I really wish they would, uh, but I don't
know if they are. I don't know. I feel

like last year was like, "This is the last
year they're gonna do it." And then it

was like, "Ah, psych," or something. I
don't know. We'll find out.

-Yeah, okay.
-We'll find out soon enough.

-Find out when it happens
-But I don't know.

So I guess we... Not this weekend, next
weekend, daylight saving starts here. So

we're, you know, the day is already
getting longer. It's bright when you wake

-up.
-Yup, yup.

It's bright longer into the evening. So
it's

good for us because, you know, obviously
it means you can get up a bit earlier and

-there is some sunlight.
-Yeah.

And you finish work at the end of the day,
and there is still sunlight, so.

-Absolutely. Great.
-But it has been, has been raining, which

is, has made it difficult. Last episode we
talked about my adventures with, uh-

-Hay fever
-... LawnHub. And well, hay fever, yes, but

-LawnHub.
-Mm-hmm.

And I had to, had to go out and spray the
weeds. And it says you're not supposed to

do that if there's going to be rain within
four hours. And when-

-Ah
-... I'm planning this ten days in advance,

it's very hard to tell if there's going
to be rain.

-It is. Yes.
-Because even if they can predict ten days

-in advance, it's never correct.
-Not n- Yeah, exactly. Exactly.

So, you know, I, I got up on that day, and
I look outside, and I'm like, "It doesn't

look like it's gonna rain." And then I
went for a, a run in the morning, or I

went for a walk in the morning, and, and I
got rained on. And I thought, "Okay,

well, this has not bode well." And then I,
I waited a bit and there was no rain. And

I, I checked the, the forecast, and it
said there's no rain due until, you know,

three o'clock in the afternoon. This is
10:00 in the morning. I'm like, "Okay, I'm

gonna go out, and I'll spray the weeds
now." And I got almost finished, and it

-started raining.
-Ah.

-You know, 30 minutes later, I'm like-
-Oh my gosh. Pointless.

-Come on.
-I just wasted all that stuff.

-Come on.
-Yeah.

But, uh, it, it seems to have worked
though, 'cause I went out the next day and

all of the, the weeds that I had sprayed
had started-

Yeah, but it'll still be at least, like,
partially effective

-... drooping and stuff, so.
-Yeah. Yeah, it'll be fine. It'll be fine.

So yeah, the next one is in, in 14 days
when I have to go out and spray the actual

fertilizer on the lawn, will be
interesting. So I'm gonna, I'm gonna see

if I can go and hire a dethatcher or a
scarifier-

-Oh, yeah
-... whatever you call it-

-Yeah, sure. Mm-hmm
-... to go and, like, pull up all of the,

the deadness from the surface of the, of
the-

-Yep
-... lawn before I then go and put down the

fertilizer. And, and hopefully that will
help to rejuvenate it. So-

Are you gonna, are you gonna aerate the
soil too? You gonna pile out, pull out the

-plugs and all that stuff?
-Mm-mm. No, I'm probably-

Dude, you're gonna become one of those
lawn guys?

No, I'm probably not gonna go that far.
The scarifier I would do because it's,

like, you know, a machine that you can
hire that goes through and does it.

-Yep, yep.
-But anything that involves too much manual

labor is something that I'm not that
interested in, so.

-Mm-hmm.
-I have... Like, if, as long as I fertilize

the lawn, it tends to come up okay. It's
when it starts to get cold and wet, and I

go, "I'm not gonna go out there and mow
the lawn," 'cause it just turns to mush,

-right?
-Yeah. Yeah, absolutely. Uh-huh.

And so, you do that once, and then before
you know it, the weeds grow, you know-

-Yep, yep, yep
-... as high as your knees. And then you go

and, and then you've gotta go and mow it,
like, four times just to get it down to

level. And by that point, it's too late,
and it's just turned into weeds. So

-I'm hoping it should be okay.
-Hey, speaking of Scarify,

speaking of Scarify, Halloween is around
the corner.

Yeah.

-We're transitioning-
-Do you guys do Hallow-

-No
-Do you guys do Halloween? Do you guys do

-Halloween?
-No, although we've been invited to a, a

-Halloween birthday party, which I'm-
-Oh, that sounds fun.

Yeah. So

for, for, uh... How old is he? Uh, uh, uh-

-Nine.
-I can't remember if this is the older

-child or the younger child.
-Eli's hanging out with the older kids

these days. He's moving on up.

Yeah. Yeah, he certainly is. Yeah. I am...
It occurred to me that we were, we... One

of the kids from school that lives, like,
two doors down, he's in the, the year

above Eli. And, um,

we went around... With, with them, we went
to the park. We had, like, a kick of the,

the soccer ball, we played a bit of
basketball, we pushed some kids on the

swings. It was, it was a good bit of fun.
But one of the other kids was there, plays

in Eli's soccer team. And I was trying to
put two and two together, like, how, how

is this child friends with the older kid
when he plays in Eli's soccer team?

-Yeah, sure.
-And it took me a while to realize that he

is actually an older kid

-playing-
-Ah, okay

... down a grade in soccer. So he is in,
in the older kids' year level, so.

-That's fun.
-But, uh-

-Yeah.
-You know, they played, they played

together for two terms before I realized
this.

-That's fun.
-So-

Yeah, no. It's good, probably good for Eli
to play up with, like, a little bit older

-kids and stuff.
-Mm-hmm.

And yeah, I'm sure he gets... You know,
it's like you play to the level of your

competition or of your teammates, I
suppose.

-It's, uh, yeah.
-And so you probably get better as you

play. Yeah. So we, um... Harrison had a
soccer game this last Saturday and scored

two goals. He was practicing his hat trick
dance if he got three goals.

-Ah, yes. If he gets three, yeah.
-And so he, yeah, he had it all planned

out. Oh, he was... He wanted it so bad. He
had a couple, like... He got two goals

-and then he-
-Mm-hmm

... kicked a third. It was high, it had a
lot of, like, spin on it. Like, hit right

in front of the goal and bounced
backwards.

-Yeah.
-Like, uh, did not go into the goal. Yeah.

-Then he had a couple of those. Anyway-
-Good.

It was fun. He almost made it. It was, it
was the last game of the season, so it was

-like his last chance-
-Mm-hmm

... to get it. But no, it was, it was all
fun. All fun. Um, yeah. Okay. I've... You

know, when we started this, this show
we're like, "What should we talk about?"

Well, I've got a couple things. First of
all, um, have you ever seen these 1Up

Arcade boxes? So, like, they're, like, not
a full arcade cabinet, but, like, it's,

th- they're like mini arcade cabinets, if
you will. So, like, 1Up Arcade, Street

Fighter, they've got whatever. So David
Hemphill and I are big into Street

Fighter. We played, uh, Street Fighter
when we were at Lari: Con this year. That

-was fun. Um-
-Mm-hmm.

But I always wanted a little Street
Fighter box. And so I found one on

Facebook Marketplace, this guy was selling
it for, like, 100 bucks. I'm like, "Why

is he selling it for ch- so cheap?" Well,
turns out he was trying to convert it to,

like, a RetroPie.Which is like a Raspberry
Pi with, like, the software...

-Mm-hmm
-... installed on it that allows you to

download ROMs and then use all the stuff.
So he had done all the conversion on it.

Like, where you have to swap out all the
buttons, you have to buy this, like, LCD,

um, converter that will hook it up to the
port. He bought all the parts, had done

all the things, and could not get the last
step. Could not get it to work, just

didn't have the chops,

and so... Or so I thought. And so I was
like, "Well..."

-Mm-hmm.
-"...I'll figure this out, no big deal."

Well, no, it's been sitting in my basement
for two months and I have not been able

to get it to work. And then I rewatched a
couple tutorials and realized there was a

ribbon cable that was flipped around the
opposite way.

-Wow.
-Turned it around, plugged it in. That was

it, dude, I was, I was off and running.
And so that's been so fun, been playing

-with that, like-
-It's wild they did something so simple.

-Oh, seriously. I mean, it's just-
-But yeah, I suppose if you, if you flip

-the pins, then it's, uh...
-Yes.

But, uh, you know, this is why, uh, PC
cases have always had the little notch so

that you could never get it the other way
around.

-Yes. Yep, not this-
-Because you don't wanna s-

-... not this one.
-You don't wanna r- yeah, you don't wanna

-reverse, uh-
-Yeah, polarity order, yeah

... electricity going to the motherboard,
huh?

Exactly. And so anyway, dude, that's been
so fun, and it's a really fun little,

like, hobby project. Now, the cool thing
is, like-

-Mm-hmm
-... I didn't have to pay $400 for it. I

paid, like, 100 bucks for it, and then
half was already bought.

-Yeah, it's pretty good.
-So yeah, it's, it's been a little, it's

been a lot of fun just playing around with
that. Me and Harrison played some Street

Fighter today, and we both like that game,
and so... Yeah, that's been pretty cool,

so I would suggest that as a fun little
hobby to anybody if they're interested.

There's, uh, there's some cool little mods
you can do out there with it and it's,

-it's pretty fun, so that's been cool.
-All right.

-Um, yeah.
-I can, we can buy these things here, uh-

-Nice, yeah
-... Mortal Kombat, Mortal Kombat Deluxe...

Yes.

Arcade machine has 14 games, Mortal Kombat
1,

2, 3. There's some other Mortal Kombat and
a few other random games on there,

-thousand bucks, plus delivery.
-Yeah.

-All right, good times.
-Yeah. Yep. So this is almost... Yeah

-Lose that before I spend money.
-The- the pri- yeah, exactly. The price was

right. Like, it was, it was way cheap,
and I was...

-Mm-hmm.
-"Yeah, I'll try this out." So that's been,

-that's been kind of fun...
-Yeah

... to just mess around with but, and
finally got it working.

-Love it.
-Um, the other thing that I wanted to talk

about though is

we've talked a lot about the permissions
stuff, right?

-Mm-hmm.
-And so I- I wanna, I wanna sorta share the

saga with you, if I can. Um,

so we talked originally about how we went
through all of our applications, and

previously we only had roles, and we
replaced any place where we are checking a

role with a named permission. So instead
of saying has role admin or has role

manager, we would say, "Nope, what are we
trying to do in this place? Oh, we're

trying to edit a blog post. Okay, so we're
gonna replace that with a check to say

permission enum

-edit blog post." Right?
-Mm-hmm.

-That's- that's what it was. Um-
-Yeah

... and then we used attributes to
associate active directory group, security

group names with those permissions, and
then in active directory we just set those

permissions, or we set those groups,
those security groups on the particular

users that need those things. It works
great. Works really, really well.

-Yeah.
-It's pretty cool.

-I think.
-We've had some other interesting solutions

around that. Okay, that's the, that's
that side of it.

Um, now, the question has been, where do
we do those permission checks? And all

we're doing with those permission checks
is we're just doing gates, right? We're

-setting up gates...
-Yeah

... um, so that you can use Laravel's
default can. You have can middleware, you

-have a can directive, you have...
-Mm-hmm.

You know, this authorize that you can use
inside of the controller if your

controllers are auth- y- you know, using
the authorizable trait. Um, you can do it

inside of a form request, you can do it,
you know, a bunch of different places.

-Yeah.
-Um, you can, uh,

you know, you could just use the gate
facade. There's all sorts of ways that you

can do this, right? And so the way that
we had previously done it, like, as our

first step is we just replaced any of the
middleware checks, um, in our routes file

with can middleware checks, and, uh, I
mean, totally fine.

But that sort of broke down a little bit.
Um, we ended up having to, like, rearrange

-how our routes files were set up, and...
-Yeah.

... you'd end up having to, like, break
apart different pieces, um, based on-

-Just to get the granularity.
-Exactly. And so, like, you'd have a route

file that would belong with another one,
like, co-located with it that would have

to be, like, further down, and then ended
up being like, there'd be a merge conflict

and somebody, like, fixed the merge
conflict but they accidentally moved one

-out of that group.
-Yeah, yeah.

And so now it was without permissions
because, you know, it's just, like, in the

-routes file, and so-
-Yeah

... I was like, "We can't do that
anymore." Um...

-Mm-hmm.
-We- we've gotta... It- it just did not

feel like it was close enough to the
metal. It just felt like it was so s- sort

-of, like, out there and removed.
-Yeah. Yeah.

Um,

and so, um, so first off, like, do you
identify with that at all? Like, do you

feel that? Like, do you ever feel like if
you're doing a- a middleware check or a

can check out at the edge there on the
routes file, does that ever make you feel

a little bit like, "Eh, feels a little too
fragile"?

I don't know off the top of my head
anywhere where we are doing

an authorization check in our routes file.

-Okay.
-Like, maybe very high level, but- but

-nothing granular. I think all of that-
-Sure

-... granularity...
-Like, are... yeah. Sure, like-

... all those authorization checks will
push down into a form request or into,

like, an action class if we wanna enforce
that behavior deep into the- the business

rules of that behavior.

But- but typically, it'll be in- in the
authorize method of a

form request or inside of, like, an a-

an action class,

-somewhere where we're authorizing that.
-Okay. So that l- that brought me to my

next step, which was, okay, so if we're
not gonna do it in the middleware, we

have, uh, we can- we can do it inside of
each controller, uh, method.

-Mm-hmm. Mm-hmm.
-Right? So if we're using resourceful

controllers, um, we can just do a

-this authorize, um...
-Yeah

... or request authorize or whatever it
is, this authorize, and that's gonna pass

in the user, and then you can just pass in
the permissions check, which is fine.

That- that works great. But

it's, like, I sort of hate having to have
those at the top of every controller

method. It sorta sucks. And so you have
some options, right? Um, one option that

was really interesting and attractive to
me was that if you're dealing with a

resource, like a blog post, for example,
instead of having to put that in every

single method...Um, this gate check, this
authorize check, in the constructor you

could say, "This authorize resource," and
then you could point it at the policy that

you had created, if you created a policy,
like a post policy.

-Mm-hmm.
-And then you could do your, your gate

checks in there. So inside of that, you
could just kind of say, you know, um,

"Here are the different a- view any, view,
edit, update, whatever."

-Mm-hmm.
-And you would just say, "Authorize

resource, here's the policy," and it would
automatically apply the correct policy

check to the proper method, which was
amazing.

-Yeah.
-I was like, "This is great." Okay, so

we're gonna move everything to policies
now.

-Mm-hmm.
-Everything to policies, and then we'll do

our, you know, our permission checks
inside of those policies so we know like,

okay, you go to the controller, the
controller's gonna have an authorize

resource. And then at the top you're gonna
click through that, and that's gonna get

you to your policy. And the policy is
gonna define the, the different, you know,

permissions that they need in order to be
able to do these things. Very well

organized, very clean, super nice, loved
it.

-Yeah.
-And then Laravel 12 came along.

And Laravel 12 basically nukes all of
that.

-Mm-hmm.
-It does not use the authorize resource

anymore, it is not in the docs anymore,
and

now it's back to, and all the docs
recommend using

Gate.dodop.authorize inside of every
controller method.

-Mm-hmm.
-And I'm just like, "I hate this.

I really-" "...hate how it looks." And so
I know-

-Mm-hmm
-...what you're saying is you just use a

-form request in that case, right?
-Yeah.

If you want to, if you want to do that
authorization check, you're just gonna

say, "I am, I am going to do that inside
of a form request

for every method inside of all those
controllers," right?

-Yeah.
-Um, is that accurate? Is that how you

-would do it?
-Yeah. And we, we also typically use a lot

-of single action controllers because-
-Mm-hmm

...we are not, like we're not building a
crud, cruddy app really. Um-

-Yeah
-...we have lots of components, and

components make requests to specific
routes.

-Endpoints, yeah, sure.
-Endpoints that are responsible for doing

particular things. So yeah, we, we will
typically have an action that is called,

uh, from a controller that is, um,

past a, a request object which is
responsible for doing the authorization.

And whether, you know, whether it's a, a
get endpoint or an index endpoint where

like, some things don't need to be
authorized, and so the authorize method of

-that form request will just return true.
-Yeah, sure.

But there will be some index methods where
we do need to do tho- those checks in

there. And so we will do the authorization
inside of, you know, a otherwise empty

form request. But it gives us, you know,
extra files around the place, but they are

consistently named and consistently
located. So if we have like a, a

user index controller, for example, then
we would also have a user index request

that goes in, you know, the, the request
folder or whatever. But if you are using

your fuzzy, fuzzy finder in your editor,
you're going to type, you know, user index

and you will see the request and the
controller there, uh, next to each other.

So it's easy enough to find 'em. And then
you'll also have the user index action

perhaps. Um, and so all of this stuff,
because it's, it's got like a

s- a common prefix, it all comes up when
you're searching for it. Um,

your mileage may vary depending on whether
or not you'll, you're navigating the file

-tree or if you're using fuzzy find. Um-
-Sure, sure

...you know, obviously as a VIM user, my
hand's on the keyboard so, uh-

-Yeah, yeah
-...it's, it's more common that I will find

things that way. Um, and that also then
extends to tests, like if you've got a

user index test, for example, um, or a
user index controller test, whatever you

wanna call it, all of these things will
appear, you know, at the top of your

search anyway. So

it makes it easier from that perspective
to locate things rather than having to

traverse the directory tree to look in
like a request folder or a controllers

folder or wherever else. It's all just
there. Um, so yeah, more files but

they're, they're typically very small
files,

but it also then allows us to co-locate
that behavior where it makes the most

-sense. You know, requests-
-Yeah

...and authorization kind of go together.
Controllers are really

just for delegating, you know, taking some
data, passing it to some action and

returning some response. But they're,
they're typically, you know, no more than

five or six lines long.

Right. Yeah, and I think, I think for me,
I get it, like I get... I'm not

necessarily so concerned with

making a new form request for every single
thing, although it does sort of suck,

honestly. Um, and I think it's just
because it's like, how many levels of

indirection do I have to have before I
finally get down to the thing? You know

-what I mean?
-Mm-hmm.

'Cause it's like the reason we organized
it around policies is because we were

like, "Okay great, we're gonna treat them
as resources." Okay, so now we have

-policies.
-Mm-hmm.

Wonderful. But now it's like we're sort of
saying, well, I mean maybe it's a policy

but we're basically gonna have a form
request for every single one of them

every, anyway, so what's the point of
having the policy?

-Mm-hmm.
-Like, now the pol- so, so now I go

route controller, method, form request,
authorize, policy, then permission?

-Mm-hmm.
-I mean, holy crap.

-Mm-hmm.
-That's like seven layers of indirection to

-get down to the actual-
-Yeah

...permission check. It's crazy. And so
it's like, if you're gonna do that, if

you're going to do a form request, it
almost feels like you could do without the

-policy, um, because-
-Mm-hmm

...like, I don't really, I'm not using it
almost anywhere else-

-Yeah
-...except for in the controller. And so-

-Yeah
-...you know, if I'm going to create the

form requests, I almost don't wanna create
the policies because-

-Yeah
-...I don't wanna do one more layer.

Yeah. It also depends. Like if you're very

resource-centric as it seems to be that
you are, then, you know, the policies-

-I mean, sometimes it's-
-...do make sense. But we, we definitely

err on the side of

not having resources. Like we're not
updating people and businesses and

addresses and things like that as commonly
as we are adding a person to application

or add address to person or, you know, all
of this kind of stuff where these actions

kind of dictate what's happening.So, um,
and so whether or not you have access to

do that action is kind of decoupled from
the resource itself. Whereas

you, because you've got the policies and
that kinda stuff, you're- you're more

leaning towards that side of things,

so it probably makes more sense to use the
policies. Um, but I still think, you

know, the form requests just make a- a
consistent... Yeah. Yeah, it's seven

layers and it's more things, et cetera,
but it's always gonna be in the same

place. You don't have to stop and think,
"Oh, hang on. This is an index method.

Where do I authorize this now?" No, it
just goes in the form request.

-Yeah.
-Like-

-Mm-hmm
-... yes, extra file, yes, extra location.

Potentially, like, if you're doing the
policy and, you know... But it, but it

means that you can guard those things
directly as well, using the policies.

Yeah.

-Um, where-
-I guess that's-

... you're not necessarily encapsulating
business logic behind

-a request or an action or whatever else.
-Yeah. Okay, so here's the last piece with

the form request thing. So, like, there
will be... So there are places where we do

have more intensive sort of policy logic.
So for example-

-Mm-hmm
-... I'll have, like, a coaching entry,

right?

And for that, a coaching... And, like, if
somebody... The ability to be able to view

a coaching entry depends on if it is...
Like, if the person that's logged

in, if their user ID is the person that
is, like... They're the coachable team

-member ID-
-Mm-hmm

-... or something like that, right?
-Mm-hmm.

They're the person who's being coached. So
if it belongs to them, they can see it.

Or if it is a person who directly manages
them. So if they're anywhere within... So

indirectly or directly manages them. So if
they're anywhere in the tree of that

-person's-
-Mm-hmm

... purview, they can be seen, right?
Where does that live? That has to live

inside the policy. That's the logical
place for it to live.

-Mm-hmm.
-My question is,

if I'm doing that, um, does the... So,
like, let's say the, uh, the view

coaching entry request, right? Or is it
coaching entry view request? Which one is

it? Coaching entry show request? Is that
what you'd call it?

Yeah, it's show coaching entry request, I
think.

-Okay. So verb and then model and then-
-Mm-hmm. Mm-hmm. Yeah

-... yeah? Okay.
-Yeah.

So show coa- so show coaching entry
request. If I do that, um-

-Mm-hmm
-... does the show coaching entry request

authorize the method, have access to the
ID or to the currently hydrated, eager

loaded, um, model binding, right? Does
that make sense?

Uh, like, yeah, for the, like, for the
relate, for the related entry.

Right. So, like, so when you do, you know,
you have implicit route model binding,

-right?
-Mm-hmm.

So, like, it will, it will automatically
pull the ID. You know, it says, "Here's

-the ID."
-Yep.

Uh, "I'm going to go ahead and grab that
particular type hinted model out of the

-database," or "I'm gonna 404."
-Mm-hmm.

And then you use that in the policy to
then check against, is this current, you

know, is this current, uh, coaching entry?
You know, you inspect it, basically, to

determine if the person who's currently
logged in can see that thing or not.

-Yeah.
-So my question is, does the authorize

method have access to that particular
model? So that when I'm saying, uh, this

arrow authorize post class, comma, or- or
just say, like, view, comma, and then I

-pass in that particular post.
-Yeah. Well, the- the route model binding

stuff is done

up the stack and then passed down into the
request. So you do have access to the

route and all of its bound parameters at
that point. Yeah.

So, yeah, like, in the controller,
typically you have, like, the way that the

implicit route model binding works is in
the controller you have request, you know,

type entered request, dollar sign
request, comma-

-Mm-hmm
-... type entered coaching entry, dollar

-sign coaching entry.
-Mm-hmm. Yeah.

-Right?
-Yeah, yep.

And then in the controller, you have
access to that thing. So what I'm saying

is I don't know how to get access to the
coaching entry, dollar sign coaching

entry, from the authorize method, 'cause I
would need that-

-Yeah, and-
-... in order to be able to do my policy

check.

Yes. La- uh, so typ- previously, you'd
have to do, like, this route and then pass

-it the, the string name.
-Mm-hmm.

I think in Laravel 12, they introduced the
thing so you can use an attribute to then

bind that directly out of the route. So
you can... I think it's pound square

bracket route, and then give it the thing,
and then you can actually inject a

properly typed, um,

class or instance there so that you will
get the completion and you'll get all of

that stuff there, and Laravel will then
handle injecting that from the request

-automatically. From- from the route-
-Because doesn't that feel like... So if

I'm just, I- I'm- I'm discovering the
solution here with you. I'm talking it

-through-
-Mm-hmm

... because I'm interested in- in how it
kinda does work. To me, it feels a little

bit gross that, like, I have it type
entered inside the controller. Like, and I

know the name of it, I know the variable
and all that stuff, but the form request

-does not have that.
-Mm-hmm.

You know, it doesn't know. It doesn't have
any idea of that route model binding

thing. It doesn't know. And so

it's like I have to either, you know,
duplicate that inside of the form request

or I have to somehow pass it in. I just,
like, I'm wondering, you know, what is

Team Laravel doing for this? Like, it
seems like this is not

how I- I would think that it would be
done. Like, it just-

-Yeah
-... it seems too chaotic. I just, I'm

like, "Who..." There- there's gotta be a
way. There... Either there's, A, they're

doing it a certain way that they're not
super stoked with, um, and they're just

sort of doing it. Or, B, they're doing it
a different way that I'm completely

unaware of. Or,

C, I just don't like it and they don't
give a crap. They don't care at all.

-Mm-hmm.
-It's fine. It's fine for them. You know

-what I mean?
-Yeah. Nuno, I think Nuno was posting

something about this the other day. I saw
a screenshot. So they're just calling

request validate, um... Oh, no, this is
the MCP Tools thing. I'm sure I saw that

he tweeted somewhere.

In Laravel MCP, tools, prompts, and
resources share the same API request

handle response. Similar to controllers in
Laravel, you can validate input, dispatch

actions, and more.But this is calling
request validate, this is not talking

about authorization.

I'm, yeah, I'm, I'm certain in one of
Nuno's, um, streams or videos that he

posted, he did talk about how he goes
through this. Which I assume would be very

similar to how they're doing it, uh, in
Laravel Cloud at the very least, 'cause he

had a heavy hand in, in the architecture
of that platform. So, um, it would

definitely be good to, to gauge

some... 'Cause I know that, you know, you
brought this up in, uh, in Cash Money,

-and, and David-
-Yeah

... David Hemphill and I, we've, we're
very much aligned in this in terms of, um,

you know, using form requests for
everything, and, and handling

-authorization that way, so...
-So, so-

-I think-
-Like-

... I think this is where it kinda comes
down to, you know, there are many

different ways of doing these things in
Laravel, and it, and it varies case by

case, app by app. Um, you know, some
things make sense in some context that are

different in others. Uh, and it's hard to
find, like, the one prescribed way of

-doing it.
-Yeah.

-Um, but yeah, I know-
-I just, I just wanna be consistent, and it

-just-
-Yeah.

Every time I feel like I've got it nailed
down, there's, like, some weird edge case

-thing that's like, "Oh-"
-Mm-hmm.

"... except for that, then you have to do
it a different way." And I'm like, "No-"

-Yeah.
-"... dang it all, I don't wanna do it a

-different way. I wanna do it-"
-Yeah.

"... the same way every time." Like, and
it just feels like I can't find that way.

I thought I had. I though- I did, I
actually did have it. When I had that

authorized resource thing, it was working
perfectly. Now I, now it's, now I can't.

-It's, it's-
-Yeah, I mean, that's-

-I'm screwed.
-That's gone from

the controller, because the base
controller is gone, but you can still use

the trait directly if you wanted to. You
can, I mean, you can always bring that

-base controller-
-Well, no-

-... back if you wanted to.
-You can, but-

-Or is it gone?
-... you have to extend, like, if you do

that, the, the, the way that they do the
middle ware on the controllers is also

-different now-
-Right, okay

... because they've, they've removed that
construct middle ware.

-Yeah, 'cause it's a method now.
-Yeah, they've con- removed that. And so

you have to have, like, there's like a
public static function middle ware on

every controller, but the authorized
resource uses that middle ware the way

that it was previously written. Which is
why I think-

-Mm-hmm
-... they removed it from the docs. It was

like, "No, we're not gonna do this
anymore." Like, you have to extend-

-Mm-hmm
-... a different type of, um... I- I looked

into it. It's just, you have to do
something funky. It's definitely not the

direction the framework was going. Which
I'm fine with saying we're gonna stick

with where the c- the framework was going.
I'm fine with changing, I just don't feel

like I have a clear picture of, like, how
it is. And, and again-

-Mm-hmm
-... maybe it's... They are just like, "No,

no, no, there is a clear picture. The
clear picture is do a gate authorize check

in every single controller method." And
I'm just like, "Ick, I don't like that.

-That's still the thing." Um-
-Yeah.

-And so, you know.
-I found, I found Nuno's, uh, tweet about

it. It was from the 29th of January. So
some things just stick in my head better

than others. But he said, "Yes,
authorization on my form request. I

typically test form request on my
controller test." So the... I- I've linked

it to you, I have a link for you in the
show notes. Basically he's got a

controller which has a method that injects
the request, and the assumption is that

the authorization has already happened in
the request, and the validation obviously

then happens in the, uh, form request
implicitly. And then it's just a matter of

calling the action handle method and
returning response from the controller,

-and-
-Okay, so here's, here's my only, this is

my only hang up, right? And you may have
an answer to this, you may not.

If I have

item.

If I'm edit, like, so if I'm editing an
item, okay?

-Mm-hmm. Mm-hmm.
-And I am getting that through the

controller method, um, not store, not like
a new one, like I'm-

-Mm-hmm
-... editing or I'm viewing one that

-already exists.
-Mm-hmm.

How can I reference that item that's
coming in in my form request

in the authorize method? That's it. If I
could figure that out, I feel like I'm

good.

And I'm, I want that to be actually a good
answer. Like, I don't want it to be some

janky, like, I have to pull it from the
route thing. Like, I want it to, like...

Yeah. Well this is the, the route
parameter attribute that you would, you

would

hint that

in that authorize method, and it should
inject it for you that way.

-Okay.
-That's how I believe it's meant to work,

so.

Storage, keep that route parameter
attribute. Yeah.

Yeah. Yeah, and I'd say the only piece to
me that still feels incomplete on that is

that I have to have that in both my
controller and my form request, that same

variable. I have to keep it in. I have to
keep it consistent. It, my refactor tools

are not gonna know that those are gonna
need to change together.

No. They won't. Um,

no.

But you, you need... Well, yeah, you need
to put them in both places anyway

if you need both of them to be aware of
it. It's, like, it's no different than

passing it down into an action or sending
it somewhere else. Like, those things just

-need to know about it.
-Well, except for from there, I'm passing

-it from the controller into the action.
-Mm-hmm. Mm-hmm.

Right? And so I can see it in the
controller. It's like it's right there.

-Yeah, yeah.
-I can see the name of the variable. I know

I have that available to me in the
controller.

-Mm-hmm.
-And so then I just... And it's no problem.

-I- I just, it's like it's-
-I mean, if you wanted to

if you wanted to, you could then, you
could then type the route parameter in

both of them rather than relying on the
implicit injection

-into the controller.
-Could I do, could I...

-So rather than just-
-Go ahead.

Yeah, so rather than in your controller
method doing, you know, binding the, the

model directly, you could just say route
parameter. 'Cause this, you can-

-Ah, okay
-... that route parameter attribute

is, a- an attribute that targets
parameters. So you could do it on a, on a

controller's edit method, yeah.

-Mm-hmm.
-But, you know, without running the code,

looking at it, it certainly seems to, to
be the case.

Okay. I need to find the documentation for
that,

for what you're talking about. Is it an
attribute, that route attribute?

Contextual, yeah, contextual, contextual
attributes, I think is what they're called

-in the documentation.
-Okay. Let's look that up.

Contextual attributes, yeah, as part of
the service container documentation.

Contextual attributes.

Route parameter, and then so you say,
like, the route parameter would be, uh,

-coaching-
-Yeah

... as a string, and then you would have
a, you know, coaching,

dollar coaching, you know, and put it put
it in the definition that way.

I'm curious if when I get it that way, if
it's actually going to give me is is it

just going to give me the value, the ID
that's being passed through? So I have to

-look it up again?
-It'll it'll do the casting for you.

-It will do that.
-It's basically an explicit model

binding.

Right? You're saying take this thing
explicitly from the route, right, the the

ID of the coaching

model, and then Mhmm. It will handle
casting that into a coaching

-Oh, I see it
-... model.

Mhmm. Mhmm. Mhmm. Yep.

And it does a container make from the
request and gets that route parameter, and

then you get that back because it's an
attribute that you have now typed as a as

a, method parameter, you'll get the type
of that thing knowing that it is an

instance of whatever it should be out of
the route, which in this case

Interesting. So I could do that I could do
that inside of the, um,

-the form request?
-The form request and the controller. Yeah.

I mean, it it doesn't stop the like, I've
gotta put it in two places. But it makes

-it
-Yeah. Or maybe or maybe it actually I

wonder if it actually also, makes 2
queries.

-That would be the thing to check for.
-Hmm.

I mean, it's pulling it out of the route.
So it's set

-on the route there.
-Yeah.

-Yeah.
-So

worth exploring. Uh, I wouldn't go and
refactor my

I'm still not super yeah. Well so that's
where we're at. It's like we're already

going through the process of refactoring
the code base. So I'm pulling my hair out

trying to figure out, okay, we're doing
this once. How do we wanna do it? And I

just don't feel like I have a good answer.
So

-Yeah. There are
-I might just end up I might just so what I

know what I know I can do is the the easy
way that's ugly is just do the gate

authorize check at the top of every
controller method and call it good. And it

is it is ugly, but it's effective, and it
works every time. Like

-Yeah.
-I mean, there are there are some ugly

things, and there are some paper cuts in
the framework that I don't know that there

are good solutions for. Um,

and, like, I know that Taylor likes to go
through and find these paper cuts and and

clean them up, but there are just some
things that I think can't be cleaned up. I

mean, I say that now, maybe in 6 months,
he will, you know he will have one of

those light bulb moments and figure out
how to do it. But, um, yeah, the the form

request and the controller kind of
different context as well.

-Yeah. Yeah.
-Even though they're coupled. Um,

-yeah.
-Yep. Yep. Yep. Yep. Okay.

Interesting. I'd be interested to to hear
where you land on it though.

Yeah. I think I think if I'm if I'm just
trying to be, like if I'm trying to be as

consistent and as, like, pragmatic as I
would as I could be, I think, ideally, I

would like to put it in the form request.
I would like to just always have a form

request object, always have an authorized
method, and always be checking the policy

-in that spot.
-Yeah.

Um, and then I think the trick the only
trick I have to figure out is how I can

make sure that I have access to that that,
um, model that is bound, you know, the

implicit binding. And if I can figure that
out, then I'm I'm good to go. And I'll

I'll let you know kinda where we where we
land on that.

-Yeah. Excellent.
-Cool.

-It's nice.
-Okay. Yes. Yes. Yes. Alright. We are what

-time are we at here? 34?
-Yeah.

Alright. We got we we got anything else
before wanna talk about before we go or

are we good?

Uh, no. I mean, we talked about the
Salesforce mocking thing, uh, last

episode, which I'm still working my way
through because I realized today that at

some point during the AI writing the code,
it deleted a whole bunch of code that I

-Oh, fun.
-... still had written. So and I'm not sure

like, I don't know if I'd stashed it and
then dropped the stash because I thought I

wasn't working on that anymore. Um, but
it likes to be very verbose. And so

what I have found through this process

is that

a lot of stuff you end up doing multiple
times because you'd like you get the first

cut and then you have to like tidy it up
and then it like starts doing weird

things. Like I said, I want you to bind a
faker instance to the container. So it

went and actually bound

well, I said I wanted to choose dependency
and injection. And so I went and then

bound an instance of faker to the
container rather than just injecting it as

a constructor

property. So this is things like that. I'm
I'm getting to the point where I'm, like,

I would just do this myself. Like, you
have given me enough of the skeleton that

I can go and make the rest of this work.
Otherwise, I'm just gonna keep going round

and round in circles.

I did find though, um, I'm using I think
we spoke about open code last time. I'm

using that. They're offering brock code
fast for free for a period of time while

they're testing it out with with their
stuff. And I think

it tends to produce results, like, good
enough results much quicker because it

doesn't

spit out all of the, like, thought process
that it's going through where Claude

and the Sonnet model will say, you know,
I'm doing this. I'm looking at this. Oh,

this didn't work. I'm gonna, like, go and
investigate this. Whatever. Like, it's

very verbose in terms of describing what
it's doing. Brock code seems to just,

like, do it and then go here's the result
at the end, which

depending on who you are

may or may not be

a better option. But I found towards the
end of last week that

that Groq code was

certainly producing results much quicker
where Sonnet kept on timing out. But I

think Claude had some issues last week,
and they made some tweaks to their models

or something like that. So maybe that came
into play because it seems to be working

okay again today.So, anyway, I don't know.
I think our code base is, is

quite large and some of the stuff that's
in there may impair

-more than impact what it's doing.
-Mm-hmm.

And so, yeah. It certainly has gotten
through a lot of the boilerplate and a lot

of the things that I wouldn't wanna do,
like, you know, coming up with mock

responses for Salesforce requests. Like,
it's figured out what they should look

like and

the shape of the responses and generating
all of the, the bodies. So it's been very

good at that. But in terms of tying all
the pieces together, I'm not stoked with

-it, to be honest.
-Yeah.

You know, whether, whether or not that's,
like, the model is not capable of it or

I'm not capable of steering the model at
this stage is

unclear. But it's just a frustrating
thing, and it's, it's turning into a bit

of an abusive relationship now because
every time I say- ... "Nah, this is crap.

I'm not gonna use this anymore. I'm gonna
do it myself," I find my way back to it

and try again anyway. Maybe this time
it'll be different, so.

-You get... You're codependent.
-It's no, it's no good. But I feel-

-There's-
-I, I just, I

-there's-
-There's gonna be a whole industry popping

up around, like, AI, like, relationship
coaching.

Yeah. Yeah. There's, uh, we'll, we'll
probably wrap on this, and maybe I'll get

your opinion on it and then we can wrap.
But

I feel like there's a big push

as an industry. Like, you see it all the
time. Companies are saying, "You've gotta

use AI. We're not hiring any more staff
unless you can show that you've exhausted

all avenues with AI," and, and whatever
else. Like, so there's that whole school

of thought going on. And, um,

I feel like as engineers, as developers
that have been in the game for a long

period of time, that have, like, done all
of the work by hand for a long period of

time, sitting there and watching the
computer write the code for you, it's

like, what am I being paid for now

to, like, sit there and just what? Like, I
feel very dirty about it. Whereas some

people are like, "This is great. I can get
more done," I don't feel like it's made

me quicker. I feel like it has certainly
written more code than I could have over

the same period of time. I don't think
it's produced the same amount of output

and the same amount of value as I could in
that same amount of time, if that makes

-sense.
-Mm. Yeah, so do you-

-Um-
-You feel like it's actually made, made you

less efficient, but it's, it's easier for
you?

-I don't think it's made me more-
-Less produc- not, not less efficient, less

-productive?
-Yeah.

-Do you feel like you're producing less?
-Yeah, I feel like... Yeah, 'cause, like,

I'm not doing it. I'm watching the
computer do it, right?

-Sure.
-But I feel like what it's producing, I

still need to go over, and there's a lot
of untangling going on there. So I'm, I'm

watching the computer write the code for,
you know, hours of a day

or across a week, you know, hours of, of,
of that week. And it's like, well, what,

what am I supposed to be doing while it's

churning out code? And then, oh, it's
finished. Okay, now I've gotta go and look

at it. No, that's no good. Figure out how
we're gonna fix it. Okay, then off it

goes again. It's like... I don't know. As,
as someone who has always written the

code, it's like, I understand that I get,
you know, you get paid to do the work, but

now I'm not doing the work, if that makes
sense. So what-

-Yeah, yeah
-... what, what am I, what am I being paid

-for here?
-Are you, are you using, are you using it

in, like, planning mode first to kinda get
it all set up?

-Yeah.
-And then you... Yeah. Okay.

-Yeah.
-So you're doing it that way. Okay. Yeah.

-Yeah.
-I don't know, dude. I, honestly, I wish I

could tell you. I feel like tomorrow I
actually told Andy Hinkle. I was like,

"Dude, you're gonna do a Teaching Tuesday
for us tomorrow, and you're gonna show us

how you actually go through

with Claude and with, uh, Cursor and, and
how you actually go through. What's your

process, you know? Um, how do you set it
up in planning mode? What are the things

that you're prompting it with?" And
whatever. And there, there are little

things. Like, so today he went through and
was like, "Here are all the strings that

I want to have a passing test for, that it
should have this output. And here are all

the ones that I have strings that should
be ignored, and this is what it should

-be," whatever. And then he said-
-Mm-hmm

... "I need a regex that solves all of
these." And it was like, "Okay. Let me

wri- let me do this." And he's like, "No,
no, no. Start with TDD first. Like, write

the test." It was like, "Okay, I'll write
the test." Then he's like, "Okay. Now

write your regex." And it wrote a single
regex that solved all of those, and it

-passed-
-Mm-hmm

-... all the tests. And it's like, okay.
-Yeah.

Pretty sweet. Like, 'cause Andy's... He's,
he's good with... You know, he... I don't

think he's ever had to use or, like, had
to know exactly what the regex was. Most

of the time, you can just kinda, like,
Google it, and like, "Okay, I need a regex

-for a phone number."
-Yeah. Yeah.

Great. There we go. You know, I don't know
what it means, but whatever.

-He's very good at writing regexes. Yeah.
-Totally. And, like, I love regex stuff.

And so, like, for me, it's very
interesting to kinda see him pull it apart

and whatever. But it's like, does it
really necessary for him to learn all

that, or can he just prompt the AI to do
that? And so it's like-

-Yeah
-... there are instances where it's, like,

-very useful for that sort of stuff. So-
-Mm-hmm.

And it was stupid, it would be stupid for
him to write that code because s- you

-know, it can write it for him. And so-
-Yeah.

-Um, yeah. I don't know.
-For those kinds of things, like, I have

definitely found that it's, it's quite
good at it. Um, especially, you know, when

we've been wanting to figure out... Like,
we have

in the Salesforce library

every- everything that, like, runs a raw
query against the Salesforce endpoint, it

just sends an execute query request. So it
could be a, it could doing a select from

contacts or accounts or, you know,
whatever else. So the only way to kinda

figure out what kind of request is
actually being sent in order for us to be

able to then fake the response is to
inspect the query string. Um, and so,

like, it's kinda figured out

initially that it, it was writing a regex.
I'm like, "I think this is a bit

overkill," 'cause I was looking at this
regex. I'm like that, that looks very

complicated. Uh, let's maybe just use a
string contains here and just look for,

like, if the query string contains from
account, it means that we're doing an

account lookup so we can return the
account if it... You know, all of that

kinda stuff. But

it's... Yeah. There, there are things... I
haven't formulated a concrete opinion on

it yet. There are certainly things that it
can do and does well. Like, I love using

-it to go and fix PHP stand violations.
-Mm.

'Cause it's like, ah, I don't wanna go
through that. Um-

-Yeah
-... especially when you update a, a patch

release and end up with 90 or whatever

stand violations that weren't there before
the update, like I did yesterday.

Um...... but, uh, yeah. There are also
things that, even guided, like, "Okay. I

want a- I want you to create a- a registry
of these things." Or "I want it..." You

know, if you- if you're very specific and
very guided, um, it can go and generate a

lot of code. But then you've gotta go and
look at it, because, um, it doesn't do

things quite as well as I would hope for
code that I want to ship into production.

Because, yeah, the AI may have written it,
but then I have to support it. So...

That's the main thing. Like, you do still
need to understand it in, you know, in a

-professional capacity.
-Yeah.

Like, if you're- if you're a
non-programmer and you're just trying to

bring your ideas to life... I spoke to a
friend the other day who's a- a UX

researcher, and he built this thing, um,

that does

some analysis. I don't wanna go too much
into it, 'cause he's still building it

out. But he built this as, like, a- a next
app, um, and, like, all of his stuff, it-

it does all the analysis, it provides
reports, it shows you all these different

things, that over the last month and a
half, two months, he's built himself. Um,

because he knows, like, what comes out the
other side of it, he knows what he's

expecting there. But if you looked under
the- under the hood of all of that code,

it's not gonna be something that you'd
wanna maintain. For that use case-

-Yeah
-... where you're building something that

-you would not have otherwise had-
-It's... Yeah. You could toss-

-... the time, the capability-
-Yeah

... the money to- to do, you know, it
doesn't matter. But he's pro- providing

-value in the outcomes. So...
-Yeah.

But as a software engi- uh, I keep saying
engineer. As a software developer, I find

myself endlessly frustrated by what it
puts out, um,

-and I'm- I'm not- not convinced by it.
-Yeah.

Yep. Like I said, it's just... It
always... The answer is it depends, right?

Yeah.

-As with anything.
-Yeah.

As with anything. All right, my friends.
Why don't we wrap it there? Uh, this is

-gonna be Episode 183?
-183.

-183?
-Mm-hmm.

Thanks for hang- thanks for hanging out
with us, folks. Find those show notes for

this episode at northmeetsouth.audio/183.
Hit us up on Twitter, on X, on Bluesky,

@MichaelDurant, @JacobBennett, or at North
South Audio. And if you liked the show,

rate it up in your podcatcher of choice.
Five stars would be incredible. Thanks,

-folks. Until next time. We'll see ya.
-Bye.

More episodes

Chapters

Creators and Guests

What is North Meets South Web Podcast?