Astronomy is a very promising package, but I have some (potentially dumb) questions
Please help me fill up the gaps in my understanding.
(sorry for the markdowned question numbers)
- What could be some potential security implications of Astronomy’s set / get methods availability to the Client? i.e. can this cause some data or security leaks?
In the following example we get all the fields of the class instance.
// Returns object with all fields: '_id', 'title' and 'commentsCount'. post.get();
Also, if a malicious user can override (shadow) some Class properties from the Client, for ex., set a
post.set = cleverBadFunction, how dangerous this could be?
// You can also set values directly but assigned values won't be converted to the proper type of the fields. post.title = 'New title'; post.title = 123; // Value won't be converted to String. alert(post.title); // 123, not '123'
methodsproperty is available to the Client, what would be some good ways to hide the body (source) of functions defined in
methodsproperty can be overwritten at runtime, how bad could that be?
If a user can add methods from the Client, what should we look out for?
We also have here two ways of adding methods to an already defined schema:
- Since the Astronomy event hooks for the
Class“…will not be called on direct manipulations of the underlying collections (i.e. Posts.remove(id)).”, then, how do we handle security and tracking of unauthorized/unexpected modifications to collections?