如何防止用户访问/修改客户端模型/集合?
最佳答案
使用allow
和 deny
定义允许每个客户端进行哪些数据库更改。
来自文档:
When a client calls insert, update, or remove on a collection, the collection's allow and deny callbacks are called on the server to determine if the write should be allowed. If at least one allow callback allows the write, and no deny callbacks deny the write, then the write is allowed to proceed.
These checks are run only when a client tries to write to the database directly, for example by calling update from inside an event handler. Server code is trusted and isn't subject to allow and deny restrictions. That includes methods that are called with Meteor.call — they are expected to do their own access checking rather than relying on allow and deny.
You can call allow as many times as you like, and each call can include any combination of insert, update, and remove functions. The functions should return true if they think the operation should be allowed. Otherwise they should return false, or nothing at all (undefined). In that case Meteor will continue searching through any other allow rules on the collection.
关于Meteorjs 模型/集合可在客户端访问。安全问题?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/10451497/