问题
Getting acquinted with Sails for Node.
One thing I need to get used to is the 'automagic' way in which routes for controller-methods are set-up using blueprints
.
For example, from the docs, if actions
-blueprints are enabled (which they are by default) GET, POST, PUT, and DELETE routes will be generated for every one of a controller's actions.
E.g from the docs, when you've got controlled-method EmailController.send
the following routes are created:
* `EmailController.send`
* :::::::::::::::::::::::::::::::::::::::::::::::::::::::
* `GET /email/send/:id?`
* `POST /email/send/:id?`
* `PUT /email/send/:id?`
* `DELETE /email/send/:id?`
The docs specifically state: actions
are enabled by default, and are OK for production-- however, you must take great care not to inadvertently expose unsafe controller logic to GET requests.
Normally I would write a controller-method for ONE specific HTTP Verb (e.g.: POST). That's clearly not compatible with this automagic wiring, since these methods would be exposed on GETs (and PUTs and DELETEs) as well, which would leave a huge security footprint imho.
So: what's the practical use of enabling these actions
? To me, it seems like a huge security risk. On the other hand, I can (theoretically) imagine writing all controller methods with conditional logic to discriminate between HTTP VERBS , but for most controller methods this just doesn't make sense.
So help me out: What's the advantage of working with these actions
which Sails seems to try to nudge me towards? Or is it just a way to get going quickly, but really not meant for production?
Thanks for wrapping my head around this.
回答1:
Action Blueprints automatically create routes to all the available controller methods. I personally turn them off, and do my routing manually.
Restful blueprints automatically generate the controller methods themselves. Which would then have routes to them created by the Action Blueprints. I believe these are the rest defaults....
* GET /boat/:id? -> BoatController.find
* POST /boat -> BoatController.create
* PUT /boat/:id -> BoatController.update
* DELETE /boat/:id -> BoatController.destroy
来源:https://stackoverflow.com/questions/23156944/sails-disable-blueprints-actions-in-production-since-it-creates-a-huge-secur