How can I prevent someone from altering or avoiding my javascript entitlement logic when adding buttons to jquery UI dialog?

我怎样才能防止某人改变或避免我的JavaScript的权利逻辑jQuery UI对话框添加按钮的时候?

问题 (Question)

I am using jquery ui dialog and I am adding buttons to the dialog in javascript based on some entitlements logic (I pass in a boolean from my serverside ajax call if i am entitled and then I show different buttons based on that flag.

What concerned me is what is preventing someone from using developer tools like firebug and putting a breakpoint on that line that does the check and either altering the flag or dragging to skip over that entitlements check.

So my question is specific to adding buttons onto a jquery UI dialog (because its not like you can add the buttons from the server side since its a jquery plugin) but I guess it highlights are more general point around any entitlements logic on the client side being "vulnerable" so if there are any general best practices around this point I would be interested (but still looking for an answer to my specific example)

NOTE: I am also doing server side entitlement check on form post as a backup so I am still "protected" but I am still concerned about the point above

我使用jQuery UI对话框我加入按钮在JavaScript对话框基于一些权利的逻辑(我通过从我的服务器端的Ajax调用一个布尔值,如果我有权就表明基于不同的按钮,标志。


所以我的问题是特定的按钮加入到一个jQuery UI对话框(因为它不喜欢你可以添加的按钮从服务器端从一个jQuery插件)但我猜它集锦是更一般的点周围的任何权利的逻辑在客户端被“脆弱”,所以如果有任何一般的最佳实践在这点我会感兴趣的(但仍然在寻找我的具体的例子一个答案)


最佳答案 (Best Answer)

You cannot control what clients will do with your scripts, nor what requests they will make of your server. You must design your back-end API (not your JS client) to be the "gating mechanism" between the user and your system. It's best not to think of the JS as part of your system, but as a separate client that you ship as a reference implementation for your API.

But, if you wanted to at least make it difficult for users to mess with your code, you could minify and concatenate your JS scripts with something like Closure.



答案 (Answer) 2

nothing prevents people from altering client side code, it is inevitable.

you can however add buttons from kind of "serverside", you just retrieve using ajax call a string from the server, which happens to be a js function that adds buttons, and in client side do eval() on that string which will execute the retrieved js function and will add the buttons. moreover, you can transmit your entire javascript code that way, so client cannot skip anything since all is being executed in the eval()

a quick example:

serverside function returns

string banana= "alert('test');";
return banana;

and clientside does



here is a theoretical example: FIDDLE





string banana= "alert('test');";
return banana;





答案 (Answer) 3

As the other person suggested, you cannot implement security on the client for exactly the reason you point out. You could use basic auth, or try setting up a token based approach.