禁止访问Meteor中的页面 [英] Preventing access to a page in Meteor

问题描述

我正在流星中构建一个应用程序，其中只有用户登录时该页面之一才对用户可见.该页面的链接位于导航标题中，并且我希望在用户登录时显示登录对话框单击链接而不登录.这是显示对话框的代码:

I am building an app in meteor in which one of the pages is visible to user only if the user is logged in. The link to the page is in the navigation header and I want a login dialog to be displayed when the user clicks on the link without logging in. Here is the code for showing the dialog :

<template name="header">
 <a href="#" id="createPost">Create Post</a>
</template>

Template.header.events({
   "click #createPost": function (evt) {
       evt.preventDefault();
       if(!Meteor.user()) {
           $('#myModal').modal("show"); //bootstrap modal dialog
       }else{
           Router.go('/createPost');
       }
   }
}

但是，问题在于，可以使用Meteor.user = function(){return true;}

However, the problem is that Meteor.user() check can easily be bypassed from browser console using Meteor.user = function(){return true;}

我尝试检查路由中的Meteor.user()并引发如下异常:

I tried checking Meteor.user() in the route and throwing an exception as follows :

  Router.route('/createPost', function () {
        if (!Meteor.user()) {
            throw new Meteor.Error(500, 'You are not logged in.');
        }
        this.render('newbag');
    });

但是，一旦在浏览器中修改了Meteor.user，此检查也将不起作用. 处理这种情况并阻止页面显示的最佳方法是什么.

But this check also doesn't work once Meteor.user has been modified in the browser. What is the best way to handle this case and preventing the page from being displayed.

推荐答案

无法确保客户端看不到给定的页面.

There is no way to ensure that a client won't see a given page.

即使您最终提出了很多技巧，客户端仍然可以接收所有模板，并且无论是通过浏览器控制台还是通过其他更高级的技巧，他仍然可以访问它们.

Even if you do put up a lot of tricks in the end the client is receiving all the templates and he can still access it, be it with his browser console or through more advanced tricks.

您想要的是防止用户看到和操作数据，这是必须在服务器端进行的安全性验证，并且可以在客户端进行以使用户感觉更好.用户.
例如，在出版物中:

What you want is prevent the user from seeing and manipulating data, which is a validation that must be done server-side for security, and can be done client-side for a better feel for the user.
For example, in a publication:

Meteor.publish('userData', function() {
  if(!this.userId) {
    throw new Meteor.Error('user not logged-in');
  }
  //...
});

您必须确保的是，在合法合法使用您的应用程序中，一切运行正常，客户端可以看到他所看到的内容，并提示您需要提示的内容(在这里， 请登录").

What you must ensure is that in a normal, legal use of your application, everything runs fine, the client sees what he can see and is prompted for what he needs to be prompted (here, "Please log in").

如果客户试图搞砸，让他弄坏他的页面.

If the client is trying to screw up, let him get his page broken.

这篇关于禁止访问Meteor中的页面的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！