[英]meteor - profile editing security
So I found this article.所以我找到了这篇文章。 Is it still actuall or has meanwhile something changed?
它仍然是实际的还是同时发生了一些变化? Should I be worried about user's security?
我应该担心用户的安全吗? I'm updating user data like so:
我正在更新用户数据,如下所示:
Meteor.users.update({_id: Meteor.userId()}, {$set: {'profile.name': name, 'profile.surname': surname}})
The profile
field of Meteor.users
is subject to debate and might be deprecated in the future (or at least its specific auto-publish behavior). Meteor.users
的profile
字段存在争议,将来可能会被弃用(或至少是其特定的自动发布行为)。 See this MDG document .请参阅此千年发展目标文件。 Quote:
引用:
The
profile
field on user documents is very dangerous.用户文档上的
profile
字段非常危险。 New Meteor developers often think it's a good place for all data they put on their user documents, and it's especially convenient because it's automatically published to the client.新 Meteor 开发人员通常认为这是放置他们放在用户文档中的所有数据的好地方,而且它特别方便,因为它会自动发布到客户端。 Unfortunately, profile is a bad place for pretty much anything.
不幸的是,profile 对于几乎任何东西来说都是一个糟糕的地方。 In any real app, you will want to validate every bit of data that enters your database.
在任何真实的应用程序中,您都需要验证进入数据库的每一位数据。
My advice is to not using the profile
field at all.我的建议是根本不要使用
profile
字段。 Instead, add whatever fields you need to Meteor.users
and publish them the usual way.相反,将您需要的任何字段添加到
Meteor.users
并以通常的方式发布它们。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.