meteor - 理解 "Not permitted. Untrusted code may only update documents by ID."Meteor 错误

Question

在 Meteor 0.5.8引入了以下更改:

Calls to the update and remove collection functions in untrusted codemay no longer use arbitrary selectors. You must specify a singledocument ID when invoking these functions from the client (other thanin a method stub).

因此，现在如果您想从客户端控制台向数据库推送任意更新，您必须执行以下操作:

People.update({_id:People.findOne({name:'Bob'})['_id']}, {$set:{lastName:'Johns'}});

代替:

People.update({name:'Bob'}, {$set:{lastName:'Johns'}});

我认为这个安全问题是通过设置 Meteor.Collection.allow 和 .deny 函数以及自动发布和不安全包来控制的。我喜欢能够从 Chrome JavaScript 控制台与数据库交互。
Meteor 0.5.8 变化的动机是什么？

Answer 1

来自 Meteor blog :

Changes to allow/deny rules

Starting in 0.5.8, client-only code such as event handlers may only update or remove a single document at a time, specified by _id. Method code can still use arbitrary Mongo selectors to manipulate any number of documents at once. To run complex updates from an event handler, just define a method with Meteor.methods and call it from the event handler.

This change significantly simplifies the allow/deny API, encourages better application structure, avoids a potential DoS attack in which an attacker could force the server to do a lot of work to determine if an operation is authorized, and fixes the security issue reported by @jan-glx.

To update your code, change your allow and deny handlers to take a single document rather than an array of documents. This should significantly simplify your code. Also check to see if you have any update or remove calls in your event handlers that use Mongo selectors (this is quite rare), and if so, move them into methods. For details, see the update and remove docs.

所以基本上，从我的角度来看，你几乎不希望行为能够在没有任何更具体的知识(如文档的 id)的情况下从客户端更新和删除任意文档集。
当原型(prototype)设计——我猜这就是你正在做的事情——我想它可能会妨碍你，但是如果你想让你的代码投入生产，我相信利大于弊。这也归结为安全声明( allow 和 deny )在此更改后更容易指定。
希望能给你更多的信息。