从Meteor服务器端方法访问集合
[英]Accessing collections from Meteor server-side method
问题描述
Are server-side methods also governed by publications? 
服务器端方法也受发布管辖吗? I thought a server-side method can modify whatever it wants. 我认为服务器端方法可以修改所需的任何内容。
In my case, in template 's helper, I have Meteor.call('serverMethod', id) and then define serverMethod in collections/methods.js . 就我而言,在template的帮助器中,我具有Meteor.call('serverMethod', id) ,然后在collections/methods.js定义serverMethod 。
Through the publication, template only has access to one record (the id one), but that's the only one serverMethod sees. 通过发布, template只能访问一条记录( id 1),但这是serverMethod只能看到的一条记录。
But when I publish everything to template , serverMethod sees everything. 但是,当我将所有内容发布到template , serverMethod看到所有内容。
Isn't that odd? 那不是很奇怪吗? I thought the purpose of a server method is to be trusted, so that I can modify anything I need to without publishing the entire database? 我认为服务器方法的目的是受信任的,这样我可以在不发布整个数据库的情况下修改所需的任何内容? Is there something I'm missing? 有什么我想念的吗?
My allow permissions are set fine, same as other parts of the app which work fine. 我的allow权限设置得很好,与应用程序的其他部分一样可以正常工作。
2 个解决方案
解决方案1
1 2014-07-02 18:27:55
Your initial assumptions are correct - methods on the server are "trusted code", and therefore have full access to your collections (publications and deny rules do not apply). 您最初的假设是正确的-服务器上的方法是“可信代码”,因此可以完全访问您的集合(发布和拒绝规则不适用)。
I think the confusion is that serverMethod is defined in a shared directory and therefore will run on both the client and the server (unless it's wrapped with a Meteor.isServer ). 我认为混淆之处在于serverMethod是在共享目录中定义的,因此将在客户端和服务器上运行(除非它被Meteor.isServer包装)。 So if the call is initiated on the client, it will run both versions. 因此,如果调用是在客户端上发起的,它将同时运行两个版本。 Depending on what the method actually does and how you are calling it, you may only see the result of the client-side call. 根据方法的实际作用和调用方式,您可能只会看到客户端调用的结果。 The client version of a method is limited by what has been published to the client. 方法的客户端版本是由什么已发布到客户端的限制。
I suspect that inside of your helper you are doing something like: 我怀疑在帮手内部您正在执行以下操作:
var result = Meteor.call('serverMethod', id);
This says: "Call the client simulation of serverMethod and immediately return the result". 这说:“调用serverMethod的客户端模拟并立即返回结果”。 In order to actually get the value from the server you'd need to use a callback. 为了实际从服务器获取值,您需要使用回调。 For example: 例如:
Meteor.call('serverMethod', id, function (error, result) { console.log(result); } );
If the above information is an accurate depiction of the problem, you now have another issue to deal with: you can't use the value of an asynchronous callback inside of a template helper. 如果以上信息是对问题的准确描述,那么您现在还有另一个问题要处理:您不能在模板助手中使用异步回调的值。 See this question for more information. 有关更多信息,请参见此问题 。
解决方案2
0 2014-07-02 17:16:16
Server side methods have access to everything and aren't subject to the allow or deny rules or publish methods 服务器端方法可以访问所有内容,并且不受“允许”或“拒绝”规则或发布方法的约束
You have to manually check if the user has permissions to do something per method. 您必须手动检查用户是否有权执行每种方法。
Maybe because the serverMethod is being passed the id from the client, so technically it only ends up seeing what the client can see? 也许是因为serverMethod是从客户端传递id的,所以从技术上讲,它只能最终看到客户端可以看到的内容? (since the id is whats passed back up to the server) (因为ID是传递回服务器的内容)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.