[英]Meteor: Security in Templates and Iron Router
I'm enjoying working with Meteor and trying out new things, but I often try to keep security in mind. 我很喜欢与Meteor一起工作并尝试新事物,但是我经常尝试牢记安全性。 So while I'm building out a prototype app, I'm trying to find the best practices for keeping the app secure. 因此,在构建原型应用程序时,我正在尝试寻找确保应用程序安全的最佳实践。 One thing I keep coming across is restricting a user based on either a roll, or whether or not they're logged in. Here are two examples of issues I'm having. 我经常遇到的一件事是基于身份限制或是否登录,限制用户。这是我遇到的两个问题示例。
// First example, trying to only fire an event if the user is an admin
// This is using the alaning:roles package
Template.homeIndex.events({
"click .someclass": function(event) {
if (Roles.userIsInRole(Meteor.user(), 'admin', 'admin-group') {
// Do something only if an admin in admin-group
}
});
My problem with the above is I can override this by typing: Roles.userIsInRole = function() { return true; }
我上面的问题是我可以通过键入以下Roles.userIsInRole = function() { return true; }
来覆盖它: Roles.userIsInRole = function() { return true; }
Roles.userIsInRole = function() { return true; }
in this console. Roles.userIsInRole = function() { return true; }
。 Ouch. 哎哟。
The second example is using Iron Router. 第二个示例是使用Iron Router。 Here I want to allow a user to the "/chat" route only if they're logged in. 在这里,我只允许用户登录后才允许其进入“ / chat”路由。
Router.route("/chat", {
name: 'chatHome',
onBeforeAction: function() {
// Not secure! Meteor.user = function() { return true; } in the console.
if (!Meteor.user()) {
return this.redirect('homeIndex');
} else {
this.next();
}
},
waitOn: function () {
if (!!Meteor.user()) {
return Meteor.subscribe("messages");
}
},
data: function () {
return {
chatActive: true
}
}
});
Again I run into the same problem. 我再次遇到相同的问题。 Meteor.user = function() { return true; }
Meteor.user = function() { return true; }
in this console blows this pattern up. Meteor.user = function() { return true; }
在此控制台中会炸毁此模式。 The only way around this I have found thus far is using a Meteor.method call, which seems improper, as they are stubs that require callbacks. 到目前为止,我发现的唯一解决方法是使用Meteor.method调用,这似乎是不合适的,因为它们是需要回调的存根。
What is the proper way to address this issue? 解决此问题的正确方法是什么?
Edit: 编辑:
Using a Meteor.call callback doesn't work for me since it's calling for a response asynchronously. 使用Meteor.call回调对我不起作用,因为它异步调用响应。 It's moving out of the hook before it can handle the response. 在处理响应之前,它已经摆脱了困境。
onBeforeAction: function() {
var self = this;
Meteor.call('someBooleanFunc', function(err, res) {
if (!res) {
return self.redirect('homeIndex');
} else {
self.next();
}
})
},
I guess you should try adding a check in the publish method in server. 我猜您应该尝试在服务器的publish方法中添加检查。 Something like this: 像这样:
Meteor.publish('messages') {
if (Roles.userIsInRole(this.userId, 'admin', 'admin-group')) {
return Meteor.messages.find();
}
else {
// user not authorized. do not publish messages
this.stop();
return;
}
});
You may do a similar check in your call methods in server. 您可以在服务器中的调用方法中进行类似的检查。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.