如何在使用Meteor和用户帐户包创建文档时通过验证用户在服务器端发出请求来防止欺骗用户ID?
在这里,我将userID添加到我的锻炼实体的createdBy字段中,但恶意演员是否能够选择他或她想要的任何用户ID?
在lib/collections/workouts.js
Workouts = new Mongo.Collection('workouts');
// Workouts Schema
Workouts.attachSchema(new SimpleSchema({
name: {
type: String,
label: 'Name',
max: 100,
optional: true
},
date: {
type: new Date(),
label: 'Date'
},
feeling: {
type: Number,
label: 'Feeling',
min: 0,
max: 5,
decimal: false
},
notes: {
type: String,
label: 'Notes',
optional: true
},
// Arrays of IDs should be prefixed with a '_'
_sets: {
type: [String],
label: 'Sets',
optional: true
}
}));
// Helpers
Workouts.helpers({
sets: function() {
return Sets.find({ _id: { $in: this._sets } });
}
});
// Hooks
Workouts.before.insert(function(userId, doc) {
doc.createdBy = userId;
});
// Allow server-side publishing
if (Meteor.isServer) {
Workouts.allow({
insert: function (userId, doc) {
return true;
},
update: function (userId, doc, fieldNames, modifier) {
return true;
},
remove: function (userId, doc) {
return true;
}
});
}
在client/templates/workouts/create_workout/create_workout.html
ateWorkout">
<h1>Create Workout</h1>
{{# autoForm collection="Workouts" doc=this id="editWorkoutForm" type="insert"}}
{{> afQuickField name="name"}}
{{> afQuickField name="date"}}
{{> afQuickField name="feeling"}}
{{> afQuickField name="notes" rows=5}}
<button type="create" class="btn btn-primary">Insert</button>
{{/autoForm}}
</template>
我正在使用以下软件包:
accounts-password 1.1.4 Password support for accounts
aldeed:autoform 5.8.1 Easily create forms with automatic insert ...
aldeed:collection2 2.8.0 Automatic validation of insert and update ...
aldeed:delete-button 2.0.0 Provides a delete button UI component
aldeed:simple-schema 1.5.3 A simple schema validation object with rea...
blaze-html-templates 1.0.1 Compile HTML templates into reactive UI wi...
dburles:collection-helpers 1.0.4 Transform your collections with helpers th...
ecmascript 0.1.6* Compiler plugin that supports ES2015+ in a...
es5-shim 4.1.14 Shims and polyfills to improve ECMAScript...
iron:router 1.0.12 Routing specifically designed for Meteor
jquery 1.11.4 Manipulate the DOM using CSS selectors
matb33:collection-hooks 0.8.1 Extends Mongo.Collection with before/after...
meteor-base 1.0.1 Packages that every Meteor app needs
mobile-experience 1.0.1 Packages for a great mobile user experience
mongo 1.1.3 Adaptor for using MongoDB and Minimongo ov...
session 1.1.1 Session variable
standard-minifiers 1.0.2 Standard minifiers used with Meteor apps b...
tracker 1.0.9 Dependency tracker to allow reactive callb...
twbs:bootstrap 3.3.6 The most popular front-end framework for d...
答案 0 :(得分:1)
您可以使用autoValue
的{{1}}功能,而不是使用挂钩。你的代码片段将是这样的。
simple-schema