如何使 Meteor 中的动态订阅安全? [英] How to make dynamic subscriptions secure in Meteor?

问题描述

此问题建立在前一个问题的基础上(请参阅此处a>).

This question builds on a previous one (see here).

使用此代码设置动态订阅(从上一个问题稍作修改):

The dynamic subscription is set up with this code (slightly modified from the previous question):

Meteor.startup(function(){
  Meteor.subscribe('parents');

  Deps.autorun(function() {
    parent = Parents.findOne({ _id: Session.get('parentId') });
    if (!parent) return;
    Meteor.subscribe('kids', parent);
  });
});

问题在于服务器端必须信任客户端传递的parent对象.理想情况下，我们只想像这样传递父对象的 _id:

The problem is that the server side must trust the parent object that is passed by the client. Ideally, one would want to pass only the _id of the parent object like this:

  Deps.autorun(function() {
    parentId = Session.get('parentId');
    if (!parentId) return;
    Meteor.subscribe('kids', parentId);
  });

但是，在这种情况下，动态订阅行为会中断(例如，当父的子数组更新时，客户端上的 kids 集合不会更新).

But, in this case, the dynamic subscription behavior breaks (e.g., the kids collection is not updated on the client when the parent's children array is updated).

为什么 Session.get('parentId') 比 Parents.findOne({ _id: Session.get('parentId') }) 反应性小，或者有这与 Meteor.subscribe('kids', parent) 和 Meteor.subscribe('kids', parentId) 有什么关系?

Why is Session.get('parentId') less reactive than Parents.findOne({ _id: Session.get('parentId') }), or has this to do with Meteor.subscribe('kids', parent) vs. Meteor.subscribe('kids', parentId)?

正确编码的最佳模式是什么?

What would be the best pattern to coding this right?

推荐答案

看起来你想要做的如下:

It seems like what you want to do is the following:

Deps.autorun(function() {
    parent = Parents.findOne({ _id: Session.get('parentId') }, {fields: {_id: 1}});
    if (!parent) return;
    Meteor.subscribe('kids', parent._id);
});

然而，这仍然不完全安全；它只是在尝试订阅之前检查 Parents 集合以确保引用的 Session 变量存在 - 这取决于 parents 订阅.如果您希望它得到适当的保护，您将不希望将 parent 订阅的任何父母发送给客户端，如果客户端不应该看到它们.

However, this still isn't exactly secure; it's just checking the Parents collection to make sure the referenced Session variable exists before attempting to subscribe to it - and this depends on the parents subscription. If you want it to be properly secured, you'll want to not send any parents over on the parent subscription to the client, if the client shouldn't be able to see them.

这篇关于如何使 Meteor 中的动态订阅安全?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！