I have an MVC / SPA application with a number of knockout functions that all have variables assigned to them so they can be called from the other functions. So when someone updates something, it calls something else on the page if its there and makes a call to the server.
All the primary keys in the database are integers.
The data and the models come from the MVC Page Model which is converted to JSON and mapped using the fromJSON utility.
var myFunction1ViewModel;
var myFunction2ViewModel;
var Function1ViewModel = function () {
var self = this;
self.data= ko.mapping.fromJSON($("#serverData1").val());
self.doSomething = function(){
//call server;
if(typeof myFunction2ViewModel != 'undefined'){
myFunction2ViewModel.doSomethingElse();
}
}
};
var Function2ViewModel = function () {
var self = this;
self.data= ko.mapping.fromJSON($("#serverData2").val());
self.doSomethingElse = function(){
//call server;
}
};
function initFunction1() {
myFunction1ViewModel= new Function1ViewModel();
ko.cleanNode($('.panel-content')[0]);
ko.applyBindings(myFunction1ViewModel, $('.panel-content')[0]);
}
function initFunction2() {
myFunction2ViewModel= new Function2ViewModel();
ko.cleanNode($('.panel-content2')[0]);
ko.applyBindings(myFunction2ViewModel, $('.panel-content2')[0]);
}
$(document).ready(function(){
initFunction1();
initFunction2();
})
while playing around in devtools i typed
myFunction2ViewModel.data.PrimaryKeyId(99999999999)
and made a change in the browser that called the server which sent my edited primary key to the server.
My Question is how do you prevent something like that? I am running checks to see if the object the person is editing is allowed to be edited but in theory i going to have to check every property coming back to the server to see if its something they can edit. Some of my models are quite complex and have lots of data.
Any ideas or comments would be appreciated.
Thanks
James
This question really has nothing to do with Knockoutjs.
You can't trust the client. period.
Any request that you receive from the client must go through authorization irrespective of what kind of encapsulation you have on the client side. Because even if you can prevent these variables from being accessed through devtools, people can easily access your api directly and send whatever request they want.
So yes, you do have to check every property coming to the server (if you have property level granular authorization). You may want to consider investing time integrating a role based hierarchical authorization library in your backend if you don't already have one in place.