在哪里可以阻止用户访问其他用户?数据?
在我正在构建的网站上,我需要允许用户编辑他们的订单。很容易。但如何确保一个用户不能编辑其他用户的订单呢?我是否在模型或控制器中执行检查以验证订单是否属于经过身份验证的用户?
On a website I am building I need to allow users to edit their orders. Easy enough. But how do I ensure that a user cannot edit other users' orders? Do I perform checks in the model or in the controller to verify that the order belongs to the authenticated user?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
将检查放入视图(是的,视图)中以快速响应用户错误。
在控制器中进行检查以确保数据完整性。
例如,在基于 Web 的应用程序中,您可能使用浏览器 JavaScript 来检查所有字段(包括用户名),以便用户获得快速响应以修复错误的交易。然而,回到您的服务器,您不能依赖浏览器来真正验证数据,因为浏览器不在您的控制范围之内 - 它可能会被有意或无意地损坏,并且不会按照您的预期进行验证。因此,您需要重新验证服务器上的所有内容以确保完整性。
Put checks in the view (yes, the view) for rapid response to user errors.
Put checks in the controller to ensure data integrity.
For example, in a web based app, you might have browser javascript to check all fields, including username, so the user gets rapid response to fix erroneous transactions. However, back at your server, you can not rely on the browser to really validate the data, since the browser is outside your control -- it might be corrupted, either intentionally or accidentally, and not doing validation as you intend. Thus you need to revalidate everything on your server to ensure integrity.
好吧,希望您的网站没有任何方式让用户尝试编辑其他人的订单。但如果仍然可以尝试,您可以将该逻辑放入模型或控制器中。这是一个意见问题。有人会说控制器应该做访问检查之类的事情,而模型只知道如何修改自己。其他人会说“胖模型,瘦控制器”,并说安全检查需要跨控制器可重用,因此它们应该放入模型中。这是你的决定。
Well hopefully your site doesn't have any way for a user to even attempt to edit someone else's orders. But if it's still possible to try, you could put that logic in either the model or controller. It's a matter of opinion. Some people will say that the controller should do things like access checks, and the model only knows how to modify itself. Others will say "fat model, skinny controller" and say that the security checks need to be reusable across controllers and so they should go in the model. It's your call.