[英]Object.defineProperty - prevent user changing this JavaScript
I want to check in my webapp if a user is admin. 我想在我的webapp中签入用户是否为admin。
var obj = { admin: false; };
Object.defineProperty(obj, "admin", {
writable: false
});
Now, a user can go into the console, and do: 现在,用户可以进入控制台并执行以下操作:
Object.defineProperty(obj, "admin", {
writable: true
});
obj.admin = true;
Is there a way to prevent this? 有办法防止这种情况吗? Is there another best way to prevent executing parts of JavaScript code if a certain criteria applies?
如果符合特定条件,是否还有另一种最佳方法来阻止执行部分JavaScript代码? I understand, users could alter the code anyway, so I am a bit looking for good practices.
我了解,用户仍然可以更改代码,因此我有点在寻找良好的做法。
No. You can't prevent users (like me) from running my own javascript on my OWN browser. 不能。您不能阻止用户(例如我)在OWN浏览器上运行自己的JavaScript。 You need to validate, authenticate and authorize on the server-side.
您需要在服务器端进行验证,认证和授权。 To authenticate and authorize a request you need to use standard mechanisms such as cookies, tokens, api access keys, etc.
要对请求进行身份验证和授权,您需要使用标准机制,例如cookie,令牌,api访问密钥等。
You can create properties on objects that cannot be changed by using Object.defineProperty
. 您可以使用
Object.defineProperty
在无法更改的对象上创建属性。 Run the snippet below and you will see TypeError: Cannot redefine property: admin
in the console. 运行下面的代码段,您将在控制台中看到
TypeError: Cannot redefine property: admin
。
const User = {}; Object.defineProperty( User, "admin", { value: false } ); Object.defineProperty( User, "admin", { value: true } );
This is because Object.defineProperty
defaults to false for writable, configurable, and enumerable. 这是因为
Object.defineProperty
对于可写,可配置和可枚举,默认设置为false。 Here is an except from the MDN Object.defineProperty documentation that talks about redefining existing properties. 这是MDN Object.defineProperty文档中的例外,该文档讨论了重新定义现有属性的问题。
When the property already exists, Object.defineProperty() attempts to modify the property according to the values in the descriptor and the object's current configuration.
当属性已经存在时,Object.defineProperty()尝试根据描述符中的值和对象的当前配置来修改属性。 If the old descriptor had its configurable attribute set to false the property is said to be “non-configurable” and no attribute can be changed (besides a one-way change of writable to false).
如果旧的描述符的可配置属性设置为false,则该属性被称为“不可配置”,并且不能更改任何属性(将可写状态更改为false的单向更改)。 It is not possible to switch between data and accessor property types when the property is non-configurable.
如果属性不可配置,则无法在数据和访问器属性类型之间切换。
All that being said, using this as a security measure will get you in trouble. 话虽如此,将其用作安全措施会给您带来麻烦。 As far as securing your code goes...
就确保代码安全而言...
You can use Object.freeze
您可以使用
Object.freeze
var obj = { admin: false };
Object.freeze(obj);
obj.admin = true;
console.log(obj)
// output {admin:false} //输出{admin:false}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.