在node.js中进行授权 [英] Authorization in node.js

问题描述

对新闻网站进行编码，我正在尝试进行授权，以便只有作者(张贴此文章的作者)才能对其进行编辑和删除(这些按钮显示在页面底部，并且对所有用户可见) ).

Coding a news website,I'm trying to make authorization so that only the author (who posted the article) is able to edit and delete it (these buttons appear at the bottom of the page and are visible to all the users).

但是有些新闻/网站没有登录/注册选项.例如: http://www.denofgeek.com/us . 因为他们没有身份验证，这是否意味着他们没有授权? 如果作者的设置与其余用户相同，他们如何编辑/删除文章?

But then there are certain news/websites which don't have a login/sign up option. For example : http://www.denofgeek.com/us . Because they have no authentication, does this mean that they have no authorization? How are they able to edit/delete the articles if the settings for the authors are the same as the rest of the users ?

代码:

app.get("/blog/:id/:title/edit", function(req,res) {
Blog.findById(req.params.id, function(err, foundBlog) {
    if(err) {
        res.redirect("/blog");
    } else {
        res.render("editBlog", {blog : foundBlog});
    }
  })
})

//UPDATE BLOG
app.put("/blog/:id/:title", function(req,res) {
    req.body.blog.body = req.sanitize(req.body.blog.body);
    Blog.findByIdAndUpdate(req.params.id, req.body.blog,{new: true}, function(err,updatedBlog) {
        if(err) {
            res.redirect("/blog");
        } else {
            res.redirect("/blog/" + req.params.id + "/" + req.params.title);
        }
    })
})

如果我不想使用身份验证，应该如何编辑/删除文章?

How should I go about editing/deleting the articles if I don't want to use authentication?

P.S:我当然可以删除页面上出现的编辑和删除按钮，并通过邮递员发送PUT和DELETE请求，但这显然是一个坏主意！

P.S : I can, of course, remove the edit and delete buttons appearing on the page and send PUT and DELETE requests via Postman, but it's obviously a bad idea!

推荐答案

浏览您提到的网站后，有一个供用户使用，一个供管理员使用，其中作者可以登录并进行更新，添加新帖子并删除旧帖子一次.

After going though the website you mentioned the have one for users and one is separate for admin where author can login and make updates add new post and delete old once.

没有任何身份验证，就不可能对特定用户进行编辑/删除.

It is not possible that without any authentication you can make edits / delete for a specific user.

因此，您应该像为作者创建一个单独的面板并为此设置登录页面那样操作，以便只有授权人员才能进入该页面，并且即使在我建议您使用的情况下，也可以实现删除/更新的功能.授权，因此如果有人知道您的api，他们将无法进行编辑，直到他们拥有令牌为止，您可以使用此 jsonwebtoken 来实现授权.

So you should do it like just create a separate panel for author and set a login page for that so only the authorized person can enter the page and there you can implement the functionality of deleting/updating even I would advice you to use authorization so if anyone came to know about your apis they cant make edits until they have the token to that you can use this jsonwebtoken to implement authorization.

希望这会有所帮助.

这篇关于在node.js中进行授权的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！