验证流星中的createdBy userID

Question

如何通过验证在服务器端发出请求的用户来防止在使用Meteor和user-accounts包创建文档时欺骗用户I？

在这里，我将userID添加到我的entity实体的createdBy字段中，但是恶意攻击者就不能选择他或她想要的任何userID吗？

在lib/collections/workouts.js中

Workouts = new Mongo.Collection('workouts');

// Workouts Schema
Workouts.attachSchema(new SimpleSchema({
  name: {
    type: String,
    label: 'Name',
    max: 100,
    optional: true
  },
  date: {
    type: new Date(),
    label: 'Date'
  },
  feeling: {
    type: Number,
    label: 'Feeling',
    min: 0,
    max: 5,
    decimal: false
  },
  notes: {
    type: String,
    label: 'Notes',
    optional: true
  },
  // Arrays of IDs should be prefixed with a '_'
  _sets: {
    type: [String],
    label: 'Sets',
    optional: true
  }
}));

// Helpers
Workouts.helpers({
  sets: function() {
    return Sets.find({ _id: { $in: this._sets } });
  }
});

// Hooks
Workouts.before.insert(function(userId, doc) {
  doc.createdBy = userId;
});

// Allow server-side publishing
if (Meteor.isServer) {
  Workouts.allow({
    insert: function (userId, doc) {
      return true;
    },

    update: function (userId, doc, fieldNames, modifier) {
      return true;
    },

    remove: function (userId, doc) {
      return true;
    }
  });
}

在client/templates/workouts/create_workout/create_workout.html中

ateWorkout">
  <h1>Create Workout</h1>
    {{# autoForm collection="Workouts" doc=this id="editWorkoutForm" type="insert"}}
      {{> afQuickField name="name"}}
      {{> afQuickField name="date"}}
      {{> afQuickField name="feeling"}}
      {{> afQuickField name="notes" rows=5}}
      <button type="create" class="btn btn-primary">Insert</button>
    {{/autoForm}}
</template>

我正在使用以下包：

accounts-password           1.1.4  Password support for accounts
aldeed:autoform             5.8.1  Easily create forms with automatic insert ...
aldeed:collection2          2.8.0  Automatic validation of insert and update ...
aldeed:delete-button        2.0.0  Provides a delete button UI component
aldeed:simple-schema        1.5.3  A simple schema validation object with rea...
blaze-html-templates        1.0.1  Compile HTML templates into reactive UI wi...
dburles:collection-helpers  1.0.4  Transform your collections with helpers th...
ecmascript                  0.1.6* Compiler plugin that supports ES2015+ in a...
es5-shim                    4.1.14  Shims and polyfills to improve ECMAScript...
iron:router                 1.0.12  Routing specifically designed for Meteor
jquery                      1.11.4  Manipulate the DOM using CSS selectors
matb33:collection-hooks     0.8.1  Extends Mongo.Collection with before/after...
meteor-base                 1.0.1  Packages that every Meteor app needs
mobile-experience           1.0.1  Packages for a great mobile user experience
mongo                       1.1.3  Adaptor for using MongoDB and Minimongo ov...
session                     1.1.1  Session variable
standard-minifiers          1.0.2  Standard minifiers used with Meteor apps b...
tracker                     1.0.9  Dependency tracker to allow reactive callb...
twbs:bootstrap              3.3.6  The most popular front-end framework for d...

Answer 1

您可以使用simple-schema的autoValue特性，而不是使用挂钩。您的代码片段将如下所示。

createdBy: {
    type: String,
    autoValue: function () {
        return Meteor.userId();
    },
    denyUpdate: true,
    optional: true
}