google chrome - Meteor Dev Tools Auditor is marking collections as insecure -

-

i use meteor dev tools plugin in chrome, , i’ve noticed cool new feature, worrying me way i've coded app. audit collection tool telling me of collections insecure.

i still using meteor 1.2 blaze

1. 1 of them meteor_autoupdate_clientversions

1.1. should worry one?

1.2. how protect it? insert, update , remove marked insecure.

2. have cycles collection, has marked insecure: update , remove collection updated on database , not supposed accessed frontend, , not meant related client interaction.

for collection have these allow/deny rules in common folder (both client , server) i've tried applying these rules on server side, didn't see difference on audit results.

2.1. should these rules on server side?

cycles.allow({     insert: function () {         return false;     },     remove: function () {         return false;     },     update: function () {         return false;     } }); cycles.deny({     insert: function () {         return true;     },     remove: function () {         return true;     },     update: function () {         return true;     } });

2.2. how protect collection?

3. , then, have collection insecure check users, remove marked insecure. on webapp don't make use of users, there no login, etc. might want implement in future, though.

3.1 should worry collection being insecure, since don't use @ all?

3.2 how protect collection?

you not have allow or deny. remove insecure package meteor app. can use publish/subscribe , methods data insert, update , delete.

remove please fo code app:

cycles.allow({     insert: function () {         return false;     },     remove: function () {         return false;     },     update: function () {         return false;     } }); cycles.deny({     insert: function () {         return true;     },     remove: function () {         return true;     },     update: function () {         return true;     } });

for 1.1

this happens while user logging. basically, issue not login method. see wait time: https://ui.kadira.io/pt/2fbbd026-6302-4a12-add4-355c0480f81d

why login method slow?

this happens when everytime, app gets reconnected. so, after sucessful login, re-run publications again. that's why saw such delay login hence publication.

there no such remedy , kind fine unless app having lot of througput/subrate method/publication.

for 3.1 : not have worry inscure anymore after removing allow/deny , insecure package. make sure, write secure methods.


Comments

Post a Comment

Popular posts from this blog

java - Suppress Jboss version details from HTTP error response -

-
my jboss verson jboss eap 6.3 when kind of error response sent jboss, adds server information response. following sample row response: http/1.1 400 bad request server: apache-coyote/1.1 content-type: text/html;charset=utf-8 content-length: 2391 date: tue, 19 jul 2016 09:30:46 gmt connection: close jboss web/7.4.8.final-redhat-4 - jbweb000064: error report jbweb000065: http status 400 - org.codehaus.jackson.map.jsonmappingexception: can not construct instance of mybean.type string value 'xyz': value not 1 of declared enum instance names @ [source: org.jboss.resteasy.core.interception.messagebodyreadercontextimpl$inputstreamwrapper@5e421c2b; line: 14, column: 26] (through reference chain: requestargs["request"]) jbweb000309: type jbweb000067: status report jbweb000068: message org.codehaus.jackson.map.jsonmappingexception: can not construct instance of mybean.type string value 'xyz': value not 1 of declared enum instance names @ [source: org.jboss...
Read more

gridview - Yii2 DataPorivider $totalSum for a column -

-
i have order , ordersearch models. in order list (actionindex) gridview there filtering , sorting. on of columns in order order_total (sum of products in order). i need implement sum of order_total in gridview. if manually counting activedataprovider->getmodels() array_map spend 3 seconds 3000 orders (localhost). don't want miss time. i see 2 ways make faster: create cache every filter , update lifetime (horrible) the interesting can right in ordersearch->search() method $query method. don't understand how can pass in controller. example of code 2nd way: class ordersearch extends order { public $totalsum; public function search($params) { $query = order::find(); $dataprovider = new activedataprovider([ 'query' => $query, ]); $this->load($params); $this->totalsum = $query->sum('order_total'); // works fast return $dataprovider; } } after i...
Read more

Sass watch command compiles .scss files before full sftp upload -

-
i use winscp download , edit .scss files , sass on linux (on server) compile them .css . after saving file, use: sass scss/style.scss css/style.css , replaces css file compiled sccs. the problem i want skip part return command line after editing scss file, sake of automation , saving time. but, if use watch command: sass --watch scss/style.scss:css/style.css synchronize 2 files, alerts nonexistent css errors pop up: change detected to: scss/style.scss error scss/style.scss (line 232: invalid css after "...ht: bold; line-": expected "{", "") note that when file uploads quicker usual (sometimes happens) watch command job, no errors. this because, when file upload takes time, sass compiles scss file (on server) before uploaded remote folder. thus, compiles part of file, resulting in css errors. is there way set timer watch command waits few seconds after detects changes , before compiling? any other way overcome is, of course, ...
Read more