Meteor.users 集合 [英] Meteor.users collection

问题描述

我是meteor 的新手，我读了很多书，但是我对meteor.users 集合和使用它的最佳方式有点困惑.我对最佳实践指南的解释是meteor.users 集合应该只用于管理accounts.ui 包；电子邮件、密码和用户名.该指南指出配置文件不安全，是原始流星设计的缺陷，不应使用.

I'm new to meteor and I've reading a lot however I'm a little confused around the meteor.users collection and the best way to use it. My interpretation of the best practice guide is that meteor.users collection should only be used for managing the accounts.ui package; email, password and username. The guide states that profile is insecure, a flaw in the original meteor design and should not be used.

所以我的问题是，如果我想创建一个包含名字、姓氏、年龄、地址、头像等内容的用户个人资料，我是否创建一个单独的集合，如userProfile"并使用meteor.userid 链接它或者我想以某种方式将它保存在meteor.users集合中

So my question is, if I want to create a user profile that contains things like first name, last name, age, address, avatar etc do I create a separate collection like 'userProfile' and link it using the meteor.userid or am I suppose to keep it in the meteor.users collection somehow

推荐答案

通常的做法是将用户配置文件信息(例如您描述的类型)放入 Meteor.user().profile.事实上，人们经常做更多的事情，例如组中的成员身份、postId 数组、各种事情.保留一个单独的 1:1 个人资料收藏是一种选择，但我认为没有这样做的根本原因.相反，它使事情变得更加复杂.

Common practice is to put user profile information such as the kind you're describing into Meteor.user().profile. In fact people often do much more, for example memberships in groups, arrays of postIds, all kinds of things. Keeping a separate 1:1 profile collection is an option but there's no fundamental reason to do so that I can think of. On the contrary it makes things just a bit more complicated.

更新:正如@jonatan 在评论中指出的，Meteor Guide 现在有 不推荐在用户文档中使用个人资料字段.

Update: As @jonatan points out in the comments, the Meteor Guide has now unrecommended the use of the profile field in the user document.

相反，他们建议将自定义用户信息存储为用户文档中的顶级键.这不仅更安全，而且性能更高，因为增量更新可以通过 DDP 在顶级密钥和子密钥上发布.

Instead they recommend storing custom user information as top-level keys in the user document. This is not only more secure but also more performant since incremental updates can get published over DDP on top-level keys but on sub-keys.

Meteor.user().profile 总是为当前用户自动发布，即使在 autopublish 包被删除之后.除非您明确设置发布，否则根本不会发布有关其他用户的信息.在这种情况下，必须注意只发布那些应该对其他用户可见的字段.例如，出于隐私考虑，您可能只想发布其他用户的 username 而不是他们的电子邮件地址.你可以这样做:

Meteor.user().profile is always auto-published for the current user even after the autopublish package has been removed. Information about other users is not published at all unless you explicitly setup a publication. In that case care must be taken to only publish those fields that should be visible to other users. For example you may only want to publish the usernames of other users and not their email addresses for privacy. You would do this with:

 Meteor.publish('otherUsers',function(){
   return Meteor.users.find({},{ fields: { 'profile.username': 1 }});
 });

您还可以限制基于以某种方式连接到当前用户的其他用户的发布集，以避免一直发布所有用户.

You might also restrict the set of other users that is published based on them being connected in some way to the current user to avoid publishing all users all the time.

您还应该避免发布包含有关用户的安全信息(例如:其密码的 bcrypt)的 services 密钥.正如@David Weldon 在评论中指出的那样，您不应该在配置文件中添加其他安全信息并且您可能希望对修改自己配置文件的用户设置拒绝规则来自客户.

You should also avoid publishing the services key which contains security information about the user (ex: the bcrypt of their password). As @David Weldon points out in the comments, you shouldn't put other security information in the profile either and you probably want a deny rule on the user modifying their own profile from the client.

这篇关于Meteor.users 集合的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！