理解为“不允许.不受信任的代码只能按ID更新文档.流星错误 [英] Understanding "Not permitted. Untrusted code may only update documents by ID." Meteor error

问题描述

在流星0.5.8 中，引入了以下更改:

In Meteor 0.5.8 the following change was introduced:

以不受信任的代码调用更新和删除收集功能 可能不再使用任意选择器.您必须指定一个 从客户端调用这些功能时的文档ID(非 在方法存根中.

Calls to the update and remove collection functions in untrusted code may no longer use arbitrary selectors. You must specify a single document ID when invoking these functions from the client (other than in a method stub).

因此，现在，如果您想从客户端控制台将任意更新推送到数据库，则必须执行以下操作:

So now if you want to push arbitrary updates to the db from the client console, you have to do something like:

People.update({_id:People.findOne({name:'Bob'})['_id']}, {$set:{lastName:'Johns'}});

代替:

People.update({name:'Bob'}, {$set:{lastName:'Johns'}});

我认为，通过设置Meteor.Collection.allow和.deny函数以及自动发布和不安全的软件包，可以控制此安全问题.我喜欢能够从Chrome JavaScript控制台与数据库进行交互.

I thought that this security issue controlled by setting the Meteor.Collection.allow and .deny functions in conjunction with the autopublish and insecure packages. I liked being able to interact with the db from the Chrome JavaScript Console.

流星0.5.8发生变化的动机是什么?

What is the motivation for the changes in Meteor 0.5.8?

推荐答案

来自流星博客:

更改为允许/拒绝规则

从0.5.8开始，事件处理程序之类的仅限客户端的代码一次只能更新或删除_id指定的单个文档.方法代码仍然可以使用任意的Mongo选择器来一次处理任意数量的文档.要从事件处理程序运行复杂的更新，只需使用Meteor.methods定义一个方法，然后从事件处理程序中调用它即可.

Changes to allow/deny rules

Starting in 0.5.8, client-only code such as event handlers may only update or remove a single document at a time, specified by _id. Method code can still use arbitrary Mongo selectors to manipulate any number of documents at once. To run complex updates from an event handler, just define a method with Meteor.methods and call it from the event handler.

此更改大大简化了allow/deny API，鼓励了更好的应用程序结构，避免了潜在的DoS攻击，在这种攻击中，攻击者可能迫使服务器执行大量工作来确定操作是否被授权，并解决了安全性问题.由@ jan-glx报告.

This change significantly simplifies the allow/deny API, encourages better application structure, avoids a potential DoS attack in which an attacker could force the server to do a lot of work to determine if an operation is authorized, and fixes the security issue reported by @jan-glx.

要更新代码，请更改允许和拒绝处理程序以采用单个文档而不是文档数组.这将大大简化您的代码.还请检查使用Mongo选择器的事件处理程序中是否有任何更新或删除调用(这种情况很少见)，如果有，请将它们移到方法中.有关详细信息，请参见更新和删除文档.

To update your code, change your allow and deny handlers to take a single document rather than an array of documents. This should significantly simplify your code. Also check to see if you have any update or remove calls in your event handlers that use Mongo selectors (this is quite rare), and if so, move them into methods. For details, see the update and remove docs.

因此，基本上，从我的角度来看，您几乎不希望这种行为能够在没有任何更多特定知识(例如文档ID)的情况下从客户端更新和删除任意文档集.

So basically, from my point of view, you almost never want the behavior to be able to update and delete arbitrary sets of documents from the client without any more specific knowledge (like the id of the document).

当进行原型设计时(我想这是您正在做的事情)，我想它可能会妨碍您的工作，但是如果您想将代码投入生产，那么我相信缺点胜过缺点.这也归结为安全声明(allow和deny)在更改后更易于指定.

When prototyping—which I'm guessing is what you're doing—I suppose it can get in the way, but then if you ever want to get your code into production, I believe the pros outweigh the cons. This also comes down to the security declarations (allow and deny) being easier to specify after this change.

希望能为您提供更多信息.

Hope that gave you some more information.

这篇关于理解为“不允许.不受信任的代码只能按ID更新文档.流星错误的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！