Laravel debugbar, public access

zemiak5 · June 19, 2026, 8:14am

Hi,

I have installed OCMS v4.3.1 with debugbar. It looks like allow_public_access doesn’t work anymore.
From time to time I need to use it even on live sites. allow_public_access allowed us to use it, but it hide it for users not logged in backend.

Am I missing something or this is now not available ?

daftspunk · June 19, 2026, 8:56am

Hey @zemiak5

This is from the Laravel Debugbar readme:

Caution

Use the DebugBar only in development. Do not use Debugbar on publicly accessible websites, as it will leak information from stored requests (by design).

Warning

It can also slow the application down (because it has to gather and render data). So when experiencing slowness, try disabling some of the collectors.

I’m not sure there is a safe way to do it.

zemiak5 · June 19, 2026, 9:27am

Hi @daftspunk I understand this point. But taking risk should be on developer, due benefits are very high. No need for development version of a site.
We are using development versions on ,big, sites, but smaller ones it taking more time, which usually customers don’t want to pay. So taking shortcuts help. After we finish working on it, we will disable it and switch to production again.

At the moment I see bigger risk due all users can see debugbar window. And debugging need to be done.
From time to time you even have scenarios, where you have to use it on live sites. For example you need debug connection between OCMS and an external API. It’s very rare customers have demo version of API so only option is use live site.

Do you see possibility to bring this function back ?

daftspunk · June 19, 2026, 9:59am

You can replicate it with a small custom service provider in your app/ directory. The strategy: leave the debugbar enabled (so it boots), then disable it at runtime when the request isn’t from a signed-in backend admin.

1. Create app/providers/DebugbarAuthProvider.php:

namespace App\Providers;

use BackendAuth;
use Illuminate\Support\ServiceProvider;

class DebugbarAuthProvider extends ServiceProvider
{
    public function boot(): void
    {
        // Only run if the debugbar package is installed and enabled
        if (!$this->app->bound('debugbar')) {
            return;
        }

        $debugbar = $this->app->make('debugbar');

        if (!$debugbar->isEnabled()) {
            return;
        }

        // Hide the debugbar unless a backend user is signed in
        if (!BackendAuth::check()) {
            $debugbar->disable();
        }
    }
}

2. Register it in bootstrap/providers.php:

return [
    // ...existing providers...
    App\Providers\DebugbarAuthProvider::class,
];

3. Set DEBUGBAR_ENABLED=true in your .env on the live site.

Only signed-in backend admins will see the toolbar; everyone else gets a clean page.

A few caveats:

This is custom code in your app - not something the debugbar plugin supports officially, so the risk is on you.
BackendAuth::check() relies on the backend session being available, so the very first request after login may still hide the bar; a refresh fixes it.
For an extra layer, gate on a specific user, e.g. BackendAuth::getUser()?->isSuperUser() or a custom permission code:

$user = BackendAuth::getUser();
if (!$user || !$user->isSuperUser()) {
    $debugbar->disable();
}

That should give you back the “live-site debugging for admins only” workflow the old allow_public_access flag supported.