Object.defineProperty-防止用户更改此JavaScript
[英]Object.defineProperty - prevent user changing this JavaScript
问题描述
I want to check in my webapp if a user is admin. 
我想在我的webapp中签入用户是否为admin。
var obj = { admin: false; };
Object.defineProperty(obj, "admin", {
writable: false
});
Now, a user can go into the console, and do: 现在,用户可以进入控制台并执行以下操作:
Object.defineProperty(obj, "admin", {
writable: true
});
obj.admin = true;
Is there a way to prevent this? 有办法防止这种情况吗? Is there another best way to prevent executing parts of JavaScript code if a certain criteria applies? 如果符合特定条件,是否还有另一种最佳方法来阻止执行部分JavaScript代码? I understand, users could alter the code anyway, so I am a bit looking for good practices. 我了解,用户仍然可以更改代码,因此我有点在寻找良好的做法。
3 个解决方案
解决方案1
3 已采纳 2015-12-18 08:59:01
No. You can't prevent users (like me) from running my own javascript on my OWN browser. 不能。您不能阻止用户(例如我)在OWN浏览器上运行自己的JavaScript。 You need to validate, authenticate and authorize on the server-side. 您需要在服务器端进行验证,认证和授权。 To authenticate and authorize a request you need to use standard mechanisms such as cookies, tokens, api access keys, etc. 要对请求进行身份验证和授权,您需要使用标准机制,例如cookie,令牌,api访问密钥等。
解决方案2
3 2017-11-07 05:16:07
You can create properties on objects that cannot be changed by using Object.defineProperty . 您可以使用Object.defineProperty在无法更改的对象上创建属性。 Run the snippet below and you will see TypeError: Cannot redefine property: admin in the console. 运行下面的代码段,您将在控制台中看到TypeError: Cannot redefine property: admin 。
const User = {}; Object.defineProperty( User, "admin", { value: false } ); Object.defineProperty( User, "admin", { value: true } );
This is because Object.defineProperty defaults to false for writable, configurable, and enumerable. 这是因为Object.defineProperty对于可写,可配置和可枚举,默认设置为false。 Here is an except from the MDN Object.defineProperty documentation that talks about redefining existing properties. 这是MDN Object.defineProperty文档中的例外,该文档讨论了重新定义现有属性的问题。
When the property already exists, Object.defineProperty() attempts to modify the property according to the values in the descriptor and the object's current configuration.
All that being said, using this as a security measure will get you in trouble. 话虽如此,将其用作安全措施会给您带来麻烦。 As far as securing your code goes... 就确保代码安全而言...
- ALWAYS validate data entering your application. 始终验证输入您的应用程序的数据。
- Minify and obfuscate your code. 缩小并混淆您的代码。
- Use strict mode . 使用严格模式 。 This will prevent a lot of unsafe practices. 这将防止许多不安全的做法。
- You can use linters to help prevent more unsafe practices. 您可以使用短绒棉絮来防止更多不安全的作法。
- Read about common security pit falls. 阅读有关常见安全坑坠落的信息。 OWASP Top Ten is a good place to read about some of these. OWASP前十名是阅读其中一些内容的好地方。
解决方案3
0 2019-04-17 09:36:10
You can use Object.freeze 您可以使用Object.freeze
var obj = { admin: false };
Object.freeze(obj);
obj.admin = true;
console.log(obj)
// output {admin:false} //输出{admin:false}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.