Skip to main content
 首页 » 编程设计

meteor之您如何保护客户端MongoDB API

2024年09月07日32kenshinobiy

我不希望所有用户都能插入/销毁数据。

请您参考如下方法:

[更新] 现在有一个官方的,有文件证明的Auth Package,它提供不同的解决方案来保护集合。

在CRUD级别:

[Server] collection.allow(options) and collection.deny(options). Restricts default write methods on this collection. Once either of these are called on a collection, all write methods on that collection are restricted regardless of the insecure package.



还有 insecure可以从客户端删除完全写访问权限。

来源: Getting Started with Auth(感谢@ dan-dascalescu)

[老答案]

显然,正在进行Auth Package(?)的开发,应避免任何用户像现在这样对db进行完全控制。还有人建议通过定义您自己的突变(方法),并通过尝试执行未经授权的操作使它们失败,来提供一种现有的解决方案(解决方法)。我并没有得到更好的结果,但是我认为这经常是必要的,因为我怀疑Auth Package是否可以让您在行级别(但可能仅在CRUD方法上)实现常规的auth逻辑。将不得不看到开发者怎么说。

[编辑]
找到了似乎可以证实我想法的东西:

Currently the client is given full write access to the collection. They can execute arbitrary Mongo update commands. Once we build authentication, you will be able to limit the client's direct access to insert, update, and remove. We are also considering validators and other ORM-like functionality.



这个答案的来源:

Accessing to DB at client side as in server side with meteor

https://stackoverflow.com/questions/10100813/data-validation-and-security-in-meteor/10101516#10101516