如何防止 Meteor.user() 的计时漏洞? [英] How can I prevent Meteor.user()'s timing hole?

问题描述

模板请求...

if (this.userRequesting._id === Meteor.user()._id) { ... }

...检查一个人的身份.(我怀疑这不是处理此问题的最佳方法，但我会将其留到另一个问题中，以免让这个问题过载).

...to check for a person's identity. (I suspect this isn't the best way to handle this, but I'll save that for another question so as to not overload this question).

我的问题是，这会导致一个巨大的错误级联，表明 Meteor.user() 未定义，仅在页面加载...一旦页面加载，此代码执行没有问题.显然，有一个时间漏洞(或者我相信)，其中 Meteor.user() 在页面加载的瞬间保持未分配状态.将上面的代码替换为...

My issue is that this results in a tremendous error cascade suggesting that Meteor.user() is undefined, only on pageload... Once the page is loaded, this code executes without a problem. Clearly, there is a timing hole (or so I believe) where Meteor.user() remains unassigned for a split second on page load. Replacing the above code with...

    ____________
if (Meteor.user() && this.userRequesting._id == Meteor.user()._id) { ... }

...解决了问题，但是...来继续...这不可能是犹太洁食.关于模板和 Meteor，我错误地做出了什么假设?

...fixes the problem, but... Come on... That can't possibly be kosher. What assumption am I erroneously making about templating and Meteor?

如果相关，我使用 accounts-password 作为我的作弊帐户经理.

If relevant, I'm using accounts-password as my cheat-y accounts manager.

:这看起来像 同样的问题，但我将这个问题留在了我正在寻找解决方案而不是解决方法的前提下.(我已经知道检查 Meteor.user() 可以解决这个问题.)

: This looks like the same problem, but I'm leaving this question up on the premise that I'm looking for a fix, not a workaround. (I already know checking for Meteor.user() resolves this.)

推荐答案

是的，您基本上做对了.当您第一次刷新页面时，不会认为用户已登录，它必须验证是否已登录.但是模板内容会立即调用，然后在加载其他内容时再次调用(如果您将 alert 放在 rendered 方法中，您会注意到这一点).最好的解决方案正是您所建议的，尽管您可以使用 Meteor.userId() 来获取 id:

Yep, you've basically gotten it right. When you first refresh the page, the user isn't consider to be logged in, and it has to verify that it is. But the template stuff is called immediately, and then again when other stuff is loaded (if you put an alert in a rendered method, you'll notice that). The best solution is exactly what you suggested, although you can use Meteor.userId() to get just the id:

if (Meteor.userId() && Meteor.userId() === this.userRequesting._id) {
    // ...

这篇关于如何防止 Meteor.user() 的计时漏洞?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！