Upgrade to Laravel 12 and PHP 8.4 #8687
Conversation
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
| $views = array_map(function ($item) { | ||
| return $item['name']; | ||
| }, Schema::getViews()); | ||
| }, Schema::getViews($database)); |
There was a problem hiding this comment.
getViews returns incompatible data structure breaking view logic
High Severity
The getViews() method now returns a numerically-indexed array of view name strings, but consumers expect an associative array keyed by view name with objects having a getSql() method. In shouldCreate(), the check isset($views[$viewName]) will always fail since the array uses numeric keys, causing views to always be recreated unnecessarily. In the up() method's foreach loop, $viewName becomes numeric indices (0, 1, 2...) instead of actual view names, breaking the dropped table detection logic entirely.
Additional Locations (2)
nolanpro
changed the title
| $request->name, | ||
| null, // provider | ||
| false // confidential | ||
| ); |
There was a problem hiding this comment.
OAuth clients not associated with user when created
High Severity
When creating personal access or password grant clients via store(), the new code uses createPersonalAccessGrantClient() and createPasswordGrantClient() which don't associate the client with the authenticated user. The old code passed $request->user()->getKey() to link all client types to the user. Since show(), update(), and destroy() all use findForUser($clientId, $request->user()) to retrieve clients, users can no longer access, modify, or delete personal access and password grant clients they create through this API.
Additional Locations (2)
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 3 potential issues.
Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.
| public function update(Request $request, $clientId) | ||
| { | ||
| $client = $this->clients->find($clientId); | ||
| $client = $this->clients->findForUser($clientId, $request->user()); |
There was a problem hiding this comment.
OAuth client update/destroy restricted to owner only
Medium Severity
The update and destroy methods changed from $this->clients->find($clientId) to $this->clients->findForUser($clientId, $request->user()). This restricts operations to only clients owned by the requesting user, while the index method still returns ALL clients. Users with edit-auth_clients or delete-auth_clients permissions will see clients in the list but receive 404 errors when attempting to modify clients they don't own, breaking admin management functionality.
Additional Locations (1)
| /** | ||
| * Store a new client. | ||
| * | ||
| * @param \Illuminate\Http\Request $request |
There was a problem hiding this comment.
Duplicated type-extraction logic in store and update methods
Low Severity
The store() and update() methods contain identical code for extracting $personalAccess, $password, and $redirect from $request->types. These three lines are duplicated verbatim between the two methods. This logic could be extracted to a private helper method like parseClientTypes(Request $request) to reduce duplication and make future maintenance easier.
Additional Locations (1)
|
ci:k8s-branch:2026-3-php84
ci:package-auth:task/FOUR-28803
ci:package-email-start-event:task/FOUR-28803
ci:package-collections:task/FOUR-28803
ci:package-actions-by-email:task/FOUR-28803
ci:pmql:task/FOUR-28803
ci:package-analytics-reporting:task/FOUR-28803
ci:package-savedsearch:task/FOUR-28803
ci:package-decision-engine:task/FOUR-28803
Note
High Risk
High risk due to the major Laravel/PHP and Passport upgrades plus the middleware bootstrap refactor, which can affect request handling and authentication/token flows across the app.
Overview
Upgrades the platform to PHP 8.4 and Laravel 12, along with related dependency bumps (notably
laravel/passportto v13, Swagger, JWT, OpenAI, PMQL, and PSR HTTP message v2).Migrates HTTP middleware registration from
ProcessMaker/Http/Kernel.phpintobootstrap/app.phpusing the Laravel 11+/12->withMiddleware()configuration (including custom replacements, group composition, priority ordering, and alias mapping).Updates Passport integration to newer APIs: DevLink OAuth client creation now uses
createAuthorizationCodeGrantClient, user token lookups pass theUsermodel toTokenRepositorymethods,AuthServiceProviderdisables Passport client UUIDs, andAuth\ClientControllerno longer extends Passport’s controller and instead usesClientRepositorywith per-user lookups and type-specific client creation.Also removes the
processmaker:create-test-dbscommand, adjustsCreateDataLakeViewsto pass the active database name toSchema::getTables/getViews, tightensAuthenticateSessionto only run forSessionGuard, makesUserTokenResourcehandle bothPersonalAccessTokenResultandTokenoutputs, reducesBuildScriptExecutorretries from 10 to 1, and adds.envrcto.gitignore.Written by Cursor Bugbot for commit 4e2ed4b. This will update automatically on new commits. Configure here.