堆栈内存溢出
  简体   繁体   English

流星-检查用户是否以管理员身份登录(客户端-端)

[英]Meteor - Check if user is logged in as administrator (Client - Side)

 原文  2013-02-04 08:28:45       security/ node.js/ meteor/ administrator

问题描述

I'm currently developing an app which needs users and administrators. 我目前正在开发需要用户和管理员的应用程序。 What I do right now is, I create an admin account on the client with username 'admin' and a default password that should be changed over the accounts-ui. 我现在要做的是,在客户端上创建一个用户名为admin的管理员帐户,并应通过account-ui更改默认密码。

I do this because creating a user like this: 我这样做是因为创建这样的用户: 

Accounts.createUser({
    username    : 'admin',
    email       : 'test@test.com',
    password    : 'changethispasswordovertheuserinterface',
    profile     : { type : 'admin' }
});

doesn't work for me on server side. 在服务器端对我不起作用。 That means I just create the admin in my client.js and just use this code to check if the admin is logged in. 这意味着我只需在client.js中创建管理员,然后使用此代码检查管理员是否已登录。 

Template.admin.isAdmin = function () {
    var currentUser = Meteor.user();
    // Is this hackable?
    if (null !== currentUser) {
        if ('admin' === currentUser.username) {
            return true;
        }
    }
};

Is this the best way to approach this? 这是解决此问题的最佳方法吗? And most importantly, is my site hackable like this (Could somebody fake it)? 最重要的是,我的网站是否可以像这样被黑客入侵(有人可以伪造它)吗?

2 个解决方案

解决方案1
 3 已采纳  2013-02-04 13:44:54

Yes this is hackable, one could pull up the chrome inspector and modify this quite easily. 是的,这很容易被黑客入侵,您可以拉起chrome检查器并轻松修改它。 Or even faster, by typing something like Template.admin.isAdmin = function () { return true; } 甚至更快,通过输入类似Template.admin.isAdmin = function () { return true; } Template.admin.isAdmin = function () { return true; } into Chrome's web console Template.admin.isAdmin = function () { return true; }进入Chrome的网络控制台

The best approach would be to only provide the information to the client from the servers end if the user is an admin. 最好的方法是,如果用户是管理员,则仅从服务器端向客户端提供信息。 So this would mean using Meteor.allow to ensure the database can only be changed by an administrative user, if peforming ops from the client end. 因此,这意味着如果从客户端执行操作,则使用Meteor.allow可以确保只有管理用户才能更改数据库。

It also depends a bit on what you want to use 'isAdmin' for too. 这也取决于您要使用“ isAdmin”的目的。 If its content, you could generate the html on the server's end and send it down to the client in a Meteor.methods . 如果内容Meteor.methods ,您可以在服务器端生成html并将其通过Meteor.methods发送给客户端。 At the moment the templating system doesn't provide for locking down the UI on the clients end depending on what the user's document contains. 目前,模板系统尚无法根据用户文档中包含的内容来锁定客户端上的UI。

For any administrative commands, you could use a Meteor.call at which point the user is vetted on the server's and and the transaction is performed there. 对于任何管理命令,都可以使用Meteor.call ,此时将在服务器上审查用户,然后在该服务器上执行事务。

解决方案2
 -2  2014-08-03 14:01:19

此线程上的答案也起作用,并且投票最多的答案包含服务器端的代码,即Meteor方法调用。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 创建没有自动登录的用户客户端 Meteor - Creating a user client side without auto login Meteor 如何检查用户是否是该计算机上的管理员 - How to check if user is an administrator on that machine 如何判断用户是否仅使用 http cookies 和 JWT 登录(客户端) - How to tell if a user is logged in with http only cookies and JWT in react (client-side) 没有管理员权限 在具有管理员权限的登录用户上下文中启动桌面应用程序 - Without Administrator Privileges Launching Desktop Application in a logged in User context with Administrator Privileges meteor.js客户端安全 - meteor.js client side security 使用applicationDidBecomeActive检查用户是否登录 - Using applicationDidBecomeActive To Check If User Logged In 检查用户是否使用Cookie登录是否安全? - Is it secured to check if user is logged in with cookies? 检查登录的用户会话状态OpenAM - Check logged in user session status OpenAM 如何检查用户是否已使用Cookie登录? - How to check if the user is already logged in or not using Cookie? asp.net mvc并检查用户是否已登录 - asp.net mvc and check for if a user is logged in
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM