How can I prevent someone from altering or avoiding my javascript entitlement logic when adding buttons to jquery UI dialog?

我怎样才能防止某人改变或避免我的JavaScript的权利逻辑jQuery UI对话框添加按钮的时候?

问题 (Question)

I am using jquery ui dialog and I am adding buttons to the dialog in javascript based on some entitlements logic (I pass in a boolean from my serverside ajax call if i am entitled and then I show different buttons based on that flag.

What concerned me is what is preventing someone from using developer tools like firebug and putting a breakpoint on that line that does the check and either altering the flag or dragging to skip over that entitlements check.

So my question is specific to adding buttons onto a jquery UI dialog (because its not like you can add the buttons from the server side since its a jquery plugin) but I guess it highlights are more general point around any entitlements logic on the client side being "vulnerable" so if there are any general best practices around this point I would be interested (but still looking for an answer to my specific example)

NOTE: I am also doing server side entitlement check on form post as a backup so I am still "protected" but I am still concerned about the point above

我使用jQuery UI对话框我加入按钮在JavaScript对话框基于一些权利的逻辑(我通过从我的服务器端的Ajax调用一个布尔值,如果我有权就表明基于不同的按钮,标志。

我担心的是什么是什么阻止别人使用开发工具像Firebug和将断点放线,并检查和改变国旗或拖动可以跳过授权检查。

所以我的问题是特定的按钮加入到一个jQuery UI对话框(因为它不喜欢你可以添加的按钮从服务器端从一个jQuery插件)但我猜它集锦是更一般的点周围的任何权利的逻辑在客户端被“脆弱”,所以如果有任何一般的最佳实践在这点我会感兴趣的(但仍然在寻找我的具体的例子一个答案)

笔记我也在做服务器端的授权检查的形式后,作为备份,所以我还是“保护”,但我还是担心上面一点

最佳答案 (Best Answer)

You cannot control what clients will do with your scripts, nor what requests they will make of your server. You must design your back-end API (not your JS client) to be the "gating mechanism" between the user and your system. It's best not to think of the JS as part of your system, but as a separate client that you ship as a reference implementation for your API.

But, if you wanted to at least make it difficult for users to mess with your code, you could minify and concatenate your JS scripts with something like Closure.

关闭。没有什么可以阻止人们从改变客户端的代码,这是不可避免的。

但是你可以从“服务器端”添加按钮,你只检索使用Ajax调用服务器的字符串,它但是你可以从“服务器端”添加按钮,你只检索使用Ajax调用服务器的字符串,它是一个js功能添加按钮,并在客户端做

答案 (Answer) 2

nothing prevents people from altering client side code, it is inevitable.

you can however add buttons from kind of "serverside", you just retrieve using ajax call a string from the server, which happens to be a js function that adds buttons, and in client side do eval() on that string which will execute the retrieved js function and will add the buttons. moreover, you can transmit your entire javascript code that way, so client cannot skip anything since all is being executed in the eval()

a quick example:

serverside function returns

string banana= "alert('test');";
return banana;

and clientside does

eval(response.d);

EDIT:

here is a theoretical example: FIDDLE

该字符串将执行检索的JS函数和将添加按钮。

此外,你可以将你的整个JavaScript代码的方式,所以客户不能跳过任何由于所有正在执行中的happens此外,你可以将你的整个JavaScript代码的方式,所以客户不能跳过任何由于所有正在执行中的eval()一个简单的例子:服务器端函数返回eval()

和客户端的呢

和客户端的呢

string banana= "alert('test');";
return banana;

编辑

eval(response.d);

这里是一个理论的例子:

小提琴小提琴

答案 (Answer) 3

As the other person suggested, you cannot implement security on the client for exactly the reason you point out. You could use basic auth, or try setting up a token based approach.

为其他人的建议,你不能实现安全客户端上的具体理由你点了。你可以使用基本身份验证,或尝试建立一个基于令牌的方法。

本文翻译自StackoverFlow,英语好的童鞋可直接参考原文:http://stackoverflow.com/questions/23451836