mongodb - Safe Methods in Meteor -



mongodb - Safe Methods in Meteor -

i'm working on messaging app using meteor. disabled insert/update/remove called client security reasons. way insert messages using methods.

meteor.methods({ sendmessage: function (text) { messages.insert({ userid: meteor.userid(), roomid: rooms.findone()._id, name: meteor.users.find(meteor.userid()).fetch()[0].profile.name , message: text }); } });

this approach asks content of message, there's no way user phone call method using other name or seek send same message other chat rooms.

i'm beginner using meteor wonder, wouldn't real method (not stub) run on server different values userid , roomid? rooms.findone()._id on server random room document on db, userid user.

if case have include parameters on function create much less secure.

i'm not understanding methods here.

you on right track. using rooms.findone() doesn't create sense on server, , frankly isn't on client either (if ever publish more 1 room break). need pass both message , room id method. method should validate insert makes sense. example, user in room. assuming that's tracked in room.members, sendmessage implemented follows:

class="lang-js prettyprint-override">meteor.methods({ sendmessage: function(message, roomid) { check(message, string); check(roomid, string); if (!this.user) throw new meteor.error(401, 'you must logged in.'); if (_.isempty(message)) throw new meteor.error(403, 'message must not empty.'); var room = rooms.findone(roomid); if (!room) throw new meteor.error(404, 'room not found.'); if (!_.contains(room.members, this.userid)) throw new meteor.error(403, 'you not in room.'); var name = meteor.user().profile.name; homecoming messages.insert({ userid: this.userid, roomid: roomid, name: name, message: message }); } });

not of these checks may necessary, illustration should give thought of rich set of validations method can provide.

mongodb methods meteor

Comments

Post a Comment

Popular posts from this blog

php - Edges appear in image after resizing -

php - Edges appear in image after resizing - i have implemented next function: private static function generatepicture($sizekey, $src, $initialwidth, $initialheight, $imagetype) { $destination = adimage::addsizekey($sizekey, $src); if (file_exists($destination)) { return; } $finalsize = adimage::$sizes[$sizekey]; $initialratio = $initialwidth / $initialheight; $finalratio = $finalsize["w"] / $finalsize["h"]; $newimage = imagecreatetruecolor($finalsize["w"], $finalsize["h"]); imagealphablending( $newimage, false ); imagesavealpha( $newimage, true ); $oldimage = imagecreatefromstring(file_get_contents($src)); if ($initialratio >= $finalratio) { $scale = $finalsize["h"] / $initialheight; $surpluss = abs($initialwidth - ($initialheight * $finalratio)); imagecopyresized($newimage, $oldimage, 0, 0, $surpluss / 2, 0, $finalsize["w"], $finalsize[&q
Read more

ios8 - iOS custom keyboard - preserve state between appearances -

ios8 - iOS custom keyboard - preserve state between appearances - i'm having performance problems custom keyboard i'm working on. loading words in spell correction tree takes quite bit of time. seems done each time keyboard appears - there way preserve state of keyboard? apps can suspend / resume etc - can't find documentation on how extensions, or if there's mechanism doing att all. thanks! you loading dictionary net or disk? first case nsuserdefaults, encoding (nscopying) options store info. can load in background. according docs, os typically kills extension process, so, think there no way prevent keyboard objects deallocation (you may utilize nskeydarchiver). ios8 ios-app-extension custom-keyboard
Read more

Delphi change the assembly code of a running process -

Delphi change the assembly code of a running process - i'm trying alter address 00741fa5 has push test.009e721c . alter push test.009e71c8 . procedure callback; asm force $9e71c8 end; procedure tform2.btn1click(sender: tobject); var ppid :dword; pprocess : cardinal; begin getwindowthreadprocessid(findwindow(nil,pchar('test')), @ppid); pprocess := openprocess(process_all_access, false, ppid); injectasm(pprocess, $741fa5, 10, integer(@callback), 0); end; here injectasm function (with error checking) function injectasm(process: longword; injectaddress, injectsize, codeaddress, codesize : integer): pointer; var csize, rsize : integer; replaced : array of byte; jmp : array [0..4] of byte; jmpaddress : integer; nopv : byte; : integer; nbr: ulong_ptr; begin //injectsize must equal or greater 5, because need space our //(far) jmp wwxxyyzz instruction //if there's no space, inject in place of few instructions if injectsize &
Read more