javascript - How to secure blueprint access in Sails.js -


so i'm pretty new sails.js seems bring lot table these blue prints,

right have 2 models, accounts / friends

it using association accounts has many friends

on client side have way send notifications users, 1 being friends request works fine, gives user option accept or decline invite

here's code:

socket.on('accounts', function(data) {     if (data.verb === "addedto" && data.attribute === "notifications") {       socket.get('/notifications/' + data.addedid, function(note) {         console.log(note);         if (!$.isemptyobject(note)) {           $scope.notifications.push({             'text': note.from_name + ' sent friends request',             'id':   note.id,             'type': note.type,             'from_id': note.from_id           })           $.notify('you have new notification', 'info');           $scope.$digest();         }       })     }   })  $scope.accept = function(notificationid, fromid) {  }

when people press accept button, want add friend both person accepted notification, , person sent it's mutual , they're both friends each other.

i making data object , doing socket.post friends both of them, , doing socket.put update notification being read , deal away it

the problem is, don't want people come in , open js console , spam socket.post million friends people maliciously

var obj {   'friend_name': 'bill',   'online': 1 }  socket.post('/accounts/1/friends', obj);

so, how can secure people accessing post /accounts/1/friends people should accessing this?

if i'm not making sense ask. thanks!

example of being spammed:

somebody opens js console , goes

var obj = { friend_name: 'bill', owner: 1 }; io.socket.post('/friends', obj);

500 times account id 1 has 500 friends named bill

correct me if misunderstood think logic wrong.

i assume bill account, when add name don't have connection account information , can identify him name. in order have kind of validation need unique identifier of bill. instead of name can add account_id , owner.

so if there 3 accounts:

  1. chris
  2. bill
  3. joe

you add var obj = { account_id: 2, owner: 1 };

so way can check policies if friend account_id , owner exists before adding new friend. if have questions how use policies ask.

anyway think better approach have 1 model , many many relationship model alone. account have many many relationship through third table sails create (that friends table). way in new table have 2 columns contain account ids. if let's on first row have ids 1 , 2, means chris , bill both friends , can think of logic make sure rows unique don't have problem spam. record haven't done many many relationship 1 model have figure out how it's done.


Comments

Post a Comment

Popular posts from this blog

c# - Validate object ID from GET to POST -

i have method allows user access comment have made on site. have post method lets them update comment. my normal solution send entire comment model through, let them update it, update on database when post back. involve sending commentid through in hiddenfor , can manipulated. how can verify commentid sent in get method same i'm getting in post , not able alter comment wish? how can verify commentid sent in method same i'm getting in post? basically have validate following things in post - user logged-in user. authenticated users post comments. commentid in post , should valid commentid , should present in database. userid associated logged-in user should same userid associated comment . comment should contain userid column, can check @ time of update. to make sure update happens comment has been sent in get - hold commentid in session , in post action compare commentid value in session .
Read more

node.js - Custom Model Validator SailsJS -

when using custom model validator checks record within model. return within spread doesn't seem end control flow. //post.js model /** * custom validator **/ types: { isuservalid: function(user_id) { var promise = require('bluebird'); promise.all([ user.findone({id: user_id}) ]) .spread(function(user) { console.log(user); if (user === null || user === undefined) { console.log('failed'); return false; }else{ console.log('passed'); return true; } }); } }, my response standard validation failed response. { "error": "e_validation", "status": 400, "summary": "1 attribute invalid", "model": "post", "invalidattributes": { "owner": [ { "rule": "isuservalid", ...
Read more

php - Find a regex to take part of Email -

i have following emails need extract part from: bestellnummer xxx: 1 von xxx, 1er pack ------------- anfang der nachricht ------------- foo bar baz foo bar baz // <<<<< need text here ------------- ende der nachricht ------------- ------------- anfang der nachricht ------------- foo bar baz foo bar baz ------------- ende der nachricht ------------- there 0 unlimited occurences of ------------- anfang der nachricht ------------- ------------- ende der nachricht ------------- and i'm able extract first part regex: $re = "/------------- .*? -------------.?(.*?).?------------- .*? -------------/s"; but, i'm quite new on learning regex, i'm pretty sure there must better regex extract part (foo bar baz foo bar baz) of text between ------------- anfang der nachricht ------------- ------------- ende der nachricht ------------- as can in different languages, i'm using .? to match between hyphens. i...
Read more