帆:在生产中禁用“蓝图操作"，因为它会产生巨大的安全足迹? [英] sails: disable `blueprints actions` in production, since it creates a huge security footprint?

问题描述

熟悉Sails 用于节点.

我需要习惯的一件事是使用 blueprints 设置控制器方法路由的自动"方式.

One thing I need to get used to is the 'automagic' way in which routes for controller-methods are set-up using blueprints.

例如，从文档中，如果启用了 actions-blueprints(默认情况下)，则将为以下各项生成 GET、POST、PUT 和 DELETE 路由控制器的每一个动作.

For example, from the docs, if actions-blueprints are enabled (which they are by default) GET, POST, PUT, and DELETE routes will be generated for every one of a controller's actions.

例如从文档中，当您获得控制方法 EmailController.send 时，将创建以下路由:

E.g from the docs, when you've got controlled-method EmailController.send the following routes are created:

     * `EmailController.send`
     * :::::::::::::::::::::::::::::::::::::::::::::::::::::::
     * `GET     /email/send/:id?`
     * `POST    /email/send/:id?`
     * `PUT     /email/send/:id?`
     * `DELETE  /email/send/:id?`

文档特别指出:actions 默认启用，并且可以用于生产——但是，您必须非常小心不要无意中将不安全的控制器逻辑暴露给 GET 请求.

The docs specifically state: actions are enabled by default, and are OK for production-- however, you must take great care not to inadvertently expose unsafe controller logic to GET requests.

通常我会为一个特定的 HTTP 动词(例如:POST)编写一个控制器方法.这显然与这种自动连接不兼容，因为这些方法也会暴露在 GET(以及 PUT 和 DELETE)上，恕我直言，这会留下巨大的安全足迹.

Normally I would write a controller-method for ONE specific HTTP Verb (e.g.: POST). That's clearly not compatible with this automagic wiring, since these methods would be exposed on GETs (and PUTs and DELETEs) as well, which would leave a huge security footprint imho.

那么:启用这些 actions 的实际用途是什么?对我来说，这似乎是一个巨大的安全风险.另一方面，我可以(理论上)想象用条件逻辑编写 all 控制器方法来区分 HTTP VERBS ，但对于大多数控制器方法来说，这没有意义.

So: what's the practical use of enabling these actions? To me, it seems like a huge security risk. On the other hand, I can (theoretically) imagine writing all controller methods with conditional logic to discriminate between HTTP VERBS , but for most controller methods this just doesn't make sense.

那么请帮帮我:使用这些 actions 的好处是什么，Sails 似乎试图将我推向这些actions?或者这只是一种快速上手的方式，但真的不适合生产?

So help me out: What's the advantage of working with these actions which Sails seems to try to nudge me towards? Or is it just a way to get going quickly, but really not meant for production?

感谢您对这个问题的关注.

Thanks for wrapping my head around this.

推荐答案

动作蓝图自动创建到所有可用控制器方法的路由.我个人将它们关闭，并手动进行路由.

Action Blueprints automatically create routes to all the available controller methods. I personally turn them off, and do my routing manually.

Restful 蓝图会自动生成控制器方法本身.然后，它们将具有由操作蓝图创建的路由.我相信这些是其余的默认值....

Restful blueprints automatically generate the controller methods themselves. Which would then have routes to them created by the Action Blueprints. I believe these are the rest defaults....

 * GET      /boat/:id?      -> BoatController.find
 * POST     /boat           -> BoatController.create
 * PUT      /boat/:id       -> BoatController.update
 * DELETE   /boat/:id       -> BoatController.destroy

这篇关于帆:在生产中禁用“蓝图操作"，因为它会产生巨大的安全足迹?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！