Apps脚本私有功能 [英] Apps Script Private functions

问题描述

在Google Apps脚本文档中，服务器端有一个有关私有功能的页面.这应该可以解释为，如果没有私有功能，则服务器代码可从用户浏览器中看到. 谁能解释一下您如何在浏览器中看到这样的服务器端功能? 谢谢

In Google apps script documentation, there is a page about Private functions on server side. That should explain that without private functions, the server code is visible from the user browser. Can anybody explain how you can see such server side functions in a browser ? Thanks

请参阅: https://developers.google.com/apps-脚本/指南/html/communication#private_functions

推荐答案

服务器代码永远不会在用户浏览器中可见，只有函数名称是可见的.私有函数隐藏了这些名称，但更重要的是，它们消除了从前端直接调用它们的功能.

The server code is never visible on the user's browser, only the functions names. Private functions hides those names, but more importantly they remove the ability from the frontend to call them directly.

换句话说，私有函数允许您定义后端入口点，从而防止恶意用户绕过您可能拥有的某些检查并直接调用内部"函数.

In other words, private functions allow you to define your backend entry-points, preventing a malicious user to bypass some checks you might have and call your "internal" functions directly.

为了展示查看名称和调用任何非私有后端函数有多么容易，我提出了以下示例，我们在其中检查了google.script.run对象:

To showcase how easy it is to see the name and call any non-private backend function, I've put up this example where we inspect the google.script.run object:

function myFunction() {}

function anotherFunction() {}

function privateFunction_() {}

function doGet() {
  return HtmlService.createHtmlOutput(
    '<p id="output"></p>'+
    "<script>var s = ''; for( var prop in google.script.run ) s+=prop+'<br>';"+
    "document.getElementById('output').innerHTML = s;</script>"
  );
}

以下是此示例: https://script.google.com/macros/s/AKfycBzD01 >

Here's this example published: https://script.google.com/macros/s/AKfycbzk0d03iB1O3vVYVD_U7eONM357iOPlAn7RFxAeZKx34q1Ones/exec

及其源代码(与上面相同): https://script.google.com/d/1WMY5jWOPGV6B6_U编辑

And its source code (same as above): https://script.google.com/d/1WMY5jWblGl8U84WvVU_mZjHDg-6rGOoOPnKMF6m2bS_V-2g6IChBVDrg/edit

-解决评论中的问题

由于doGet函数的名称是固定的/预定义的，因此不能设为私有.但这并不是真正的问题，因为无论如何该功能都应该是一个入口点，并且由于您希望可以从用户的浏览器中调用它，并且可以相应地进行参数检查.

The doGet function cannot be made private since its name is fixed/predefined. But that is not really a problem as this function is supposed to be an entry point anyways, and since you expect it to be called from the users' browsers and can do your parameters checks and such accordingly.

这篇关于Apps脚本私有功能的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！