[英]Creating deeply nested object in Prisma securely
I am using Prisma and Nextjs with the following data structure, with authentication using Next-Auth.我正在使用具有以下数据结构的 Prisma 和 Nextjs,并使用 Next-Auth 进行身份验证。
user
|-->profile
|-->log
|-->sublog
Right now the CRUD is sent to the database via API routes on Nextjs.现在,CRUD 通过 Nextjs 上的 API 路由发送到数据库。 And I want to write to
sublog
securely via the API.我想通过 API 安全地写入
sublog
。
So when I write this, it is open-ended:所以当我写这篇文章时,它是开放式的:
const sublog = await prisma.sublog.create({
data: {
name: req.body.name,
content: req.body.content,
log: {
connect: {
id: req.body.logId,
}
}
}
})
I have access to the user session from the frontend and backend in order to get the userID.我可以从前端和后端访问用户会话以获取用户 ID。 But I am not sure how to make the form submission secure that only if the user who owns the
log
can they be allowed to submit a sublog
.但是我不确定如何使表单提交安全,只有拥有
log
的用户才能被允许提交sublog
。
Any ideas on how to securely submit something securely while it is deeply nested?关于如何在深度嵌套时安全地提交内容的任何想法?
PS Note that I can turn on and off any component that edit/delete data at the frontend - but that's only on the frontend, I want to secure it on the API so that even if the client somehow is able to access a form within the log
that doesn't belong to them, it would still push an error from the API since the client don't belong there. PS 请注意,我可以打开和关闭任何在前端编辑/删除数据的组件——但这只是在前端,我想在 API 上保护它,这样即使客户端能够以某种方式访问表单中的表单不属于他们的
log
,它仍然会从 API 推送错误,因为客户端不属于那里。
You'd need to make a prisma query that checks who owns the log
before allowing the prisma.sublog.create
to be executed.在允许执行
prisma.sublog.create
之前,您需要进行 prisma 查询来检查谁拥有log
。 Prisma is agnostic to the concept of ownership - You need to add and check that logic yourself. Prisma 与所有权的概念无关——您需要自己添加并检查该逻辑。
const fullLog = await prisma.log.findUnique({
select: { // don't know what your model looks like, just guessing
id: true,
profile: {
select: {
userId: true
}
}
},
where: {
id: req.body.logId
}
});
// currentUserId = however you get the current user's id
if (fullLog && fullLog.profile.userId !== currentUserId) {
// throw an error
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.