理解“不允许.不受信任的代码只能通过 ID 更新文档."流星错误 [英] Understanding "Not permitted. Untrusted code may only update documents by ID." Meteor error

问题描述

在 Meteor 0.5.8 中引入了以下更改:

In Meteor 0.5.8 the following change was introduced:

在不受信任的代码中调用更新和删除集合函数可能不再使用任意选择器.您必须指定一个从客户端调用这些函数时的文档 ID(除了在方法存根中).

Calls to the update and remove collection functions in untrusted code may no longer use arbitrary selectors. You must specify a single document ID when invoking these functions from the client (other than in a method stub).

所以现在如果您想从客户端控制台向数据库推送任意更新，您必须执行以下操作:

So now if you want to push arbitrary updates to the db from the client console, you have to do something like:

People.update({_id:People.findOne({name:'Bob'})['_id']}, {$set:{lastName:'Johns'}});

代替:

People.update({name:'Bob'}, {$set:{lastName:'Johns'}});

我认为这个安全问题是通过设置 Meteor.Collection.allow 和 .deny 函数以及 autopublish 和不安全包来控制的.我喜欢能够从 Chrome JavaScript 控制台与数据库交互.

I thought that this security issue controlled by setting the Meteor.Collection.allow and .deny functions in conjunction with the autopublish and insecure packages. I liked being able to interact with the db from the Chrome JavaScript Console.

Meteor 0.5.8 变化的动机是什么?

What is the motivation for the changes in Meteor 0.5.8?

推荐答案

来自 Meteor 博客:

从 0.5.8 开始，客户端专用代码(例如事件处理程序)一次只能更新或删除一个文档，由 _id 指定.方法代码仍然可以使用任意 Mongo 选择器一次操作任意数量的文档.要从事件处理程序运行复杂的更新，只需使用 Meteor.methods 定义一个方法并从事件处理程序中调用它.

Changes to allow/deny rules

Starting in 0.5.8, client-only code such as event handlers may only update or remove a single document at a time, specified by _id. Method code can still use arbitrary Mongo selectors to manipulate any number of documents at once. To run complex updates from an event handler, just define a method with Meteor.methods and call it from the event handler.

这一变化显着简化了允许/拒绝 API，鼓励更好的应用程序结构，避免潜在的 DoS 攻击，攻击者可以在这种攻击中迫使服务器做大量工作来确定操作是否被授权，并修复了安全问题@jan-glx 报道.

This change significantly simplifies the allow/deny API, encourages better application structure, avoids a potential DoS attack in which an attacker could force the server to do a lot of work to determine if an operation is authorized, and fixes the security issue reported by @jan-glx.

要更新您的代码，请更改您的允许和拒绝处理程序以获取单个文档而不是一组文档.这应该会显着简化您的代码.还要检查在使用 Mongo 选择器的事件处理程序中是否有任何更新或删除调用(这种情况很少见)，如果有，请将它们移到方法中.有关详细信息，请参阅 更新 和 删除 文档.

To update your code, change your allow and deny handlers to take a single document rather than an array of documents. This should significantly simplify your code. Also check to see if you have any update or remove calls in your event handlers that use Mongo selectors (this is quite rare), and if so, move them into methods. For details, see the update and remove docs.

所以基本上，在我看来，您几乎从不希望这种行为能够在没有任何更具体的知识(例如文档的 id)的情况下从客户端更新和删除任意文档集.

So basically, from my point of view, you almost never want the behavior to be able to update and delete arbitrary sets of documents from the client without any more specific knowledge (like the id of the document).

进行原型设计时——我猜这就是你正在做的事情——我想它可能会妨碍你，但如果你想将代码投入生产，我相信利大于弊.这也归结为安全声明(allow 和 deny)在此更改后更容易指定.

When prototyping—which I'm guessing is what you're doing—I suppose it can get in the way, but then if you ever want to get your code into production, I believe the pros outweigh the cons. This also comes down to the security declarations (allow and deny) being easier to specify after this change.

希望能给您提供更多信息.

Hope that gave you some more information.

这篇关于理解“不允许.不受信任的代码只能通过 ID 更新文档."流星错误的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！