解析数据安全性和关系 [英] Parse data security and relationships
问题描述
我正在尝试使用Parse和Backbone前端为以下情况确定最佳方法.我想建立一个讨论线程,使具有不同角色(即成员,管理员等)的两个或多个用户能够通过发布简单消息(按时间顺序列表显示)进行通信.这些消息将与用户名,用户照片,发布日期和消息内容一起显示.
I'm trying to determine the best approach for the following scenario using Parse and a Backbone front end. I want to build a discussion thread where two or more users, of various roles (ie: member, admin, etc), are able to communicate by posting simple messages which will appear in a chronological list. The messages would appear with the users name, users photo, the date it was posted and the message content.
最初的目的是在Parse中创建一个Message类,其中包含以下字段:
My initial instinct was to create a Message class in Parse with the following fields:
- 标题(字符串)
- 消息(字符串)
- 作者(指针)
然后,当我为线程加载消息时,我将包括作者关系,以便获得必要的信息,例如其名称和个人资料图像.
Then when I load the messages for the thread I would include the author relationship so I could get necessary info like their name and profile image.
var query = Parse.Query('Message');
query.include('author');
query.find({
success: function(msgs) {...},
error: function(error) {...}
});
这行得通,而且很好,但后来我想到了ACL,我将使用它来锁定我的数据,但我发现除了管理员能够看到其他用户外,我不希望任何用户用户信息.
This works, and is all fine and dandy but then I got thinking about the ACL's I will be using to lock down my data and it occurred to me that I wouldn't want any user except an admin being able to see other users information.
让我陷入困境的是,我如何限制通过这种关系可用的数据,以便所有用户数据 不可访问,但我们仍然可以访问用户名和个人资料图片?
Sooooo that brings to my dilemma, how can I limit the data that is available through this relationship so all user data isn't accessible but we can still access the users name and profile pic?
我知道我总是可以将作者的姓名和图片保存到消息记录本身中,因此我不需要访问关系,但这会遇到在作者方面更改数据的问题,例如新的个人资料图片或名称更新这样就不会反映在消息线程中.
I know I could always save the authors name and pic to the message record itself so I wouldn't need to access the relationship but that runs into the problem of changing data on the authors side like a new profile pic or name update that then is not reflected in the message thread.
云代码是另一种选择,通过它我可以手动选择要返回的字段,但是如果这种情况在您的应用程序中的很多地方都存在,那么这似乎是很多工作.
Cloud code is another option where by I could hand pick the fields to return but that seemed like a lot of work if this scenario existed in a lot of places in your app.
希望有人对此问题有所了解,因为我确定它在SPA世界中相当普遍,我只是不知道如何在搜索中表达该问题,所以我一无所获.
Hopefully someone has some insight on this issue as I'm sure it's reasonably common in SPA world, I just didn't know how to phrase the question in a search so I haven't found anything.
谢谢!
推荐答案
考虑到公共系统中的用户对用户对话确实应该在用户的角色之间.
Consider that user-to-user conversations in a public system really ought to be between users' personae.
personaA <-> personaB
| |
userA userB
我将创建一个Persona表,该表是用户的公开面孔.它包含昵称(与用户名不同但可能等于用户名),照片等,以及指向用户表的指针,这些指针将在类级别完全锁定.
I would create a Persona table that is a user's public face. It would contain nickname (distinct from but maybe equal to username), photo and so on, as well as a pointer back to the user table, which would remain fully locked down at the class level.
这篇关于解析数据安全性和关系的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
