Preventing access to a page in Meteor

2019-09-12 08:45发布

I am building an app in meteor in which one of the pages is visible to user only if the user is logged in. The link to the page is in the navigation header and I want a login dialog to be displayed when the user clicks on the link without logging in. Here is the code for showing the dialog :

<template name="header">
 <a href="#" id="createPost">Create Post</a>
</template>

Template.header.events({
   "click #createPost": function (evt) {
       evt.preventDefault();
       if(!Meteor.user()) {
           $('#myModal').modal("show"); //bootstrap modal dialog
       }else{
           Router.go('/createPost');
       }
   }
}

However, the problem is that Meteor.user() check can easily be bypassed from browser console using Meteor.user = function(){return true;}

I tried checking Meteor.user() in the route and throwing an exception as follows :

  Router.route('/createPost', function () {
        if (!Meteor.user()) {
            throw new Meteor.Error(500, 'You are not logged in.');
        }
        this.render('newbag');
    });

But this check also doesn't work once Meteor.user has been modified in the browser. What is the best way to handle this case and preventing the page from being displayed.

2条回答
Rolldiameter
2楼-- · 2019-09-12 09:15

I agree with the other answers: if you really want to lock down an application, then you'll need to do consider server-side controls as well.

For apps that require less security, I generally do something similar to your code using iron-router:

Router.route('/', {
    name: 'home',
    template: 'home',
    onBeforeAction: function(){
     var currentUser = Meteor.userId();
     if(currentUser){
         this.next();
     } else {
         this.render("login");
     }
   }
}); 

I tested with your hack on the console and it reliably keeps redirecting to 'login', but the login screen itself (I am using accounts-ui and accounts-password) then breaks, as you cannot log out the Null user.

查看更多
爱情/是我丢掉的垃圾
3楼-- · 2019-09-12 09:31

There is no way to ensure that a client won't see a given page.

Even if you do put up a lot of tricks in the end the client is receiving all the templates and he can still access it, be it with his browser console or through more advanced tricks.

What you want is prevent the user from seeing and manipulating data, which is a validation that must be done server-side for security, and can be done client-side for a better feel for the user.
For example, in a publication:

Meteor.publish('userData', function() {
  if(!this.userId) {
    throw new Meteor.Error('user not logged-in');
  }
  //...
});

What you must ensure is that in a normal, legal use of your application, everything runs fine, the client sees what he can see and is prompted for what he needs to be prompted (here, "Please log in").

If the client is trying to screw up, let him get his page broken.

查看更多
登录 后发表回答