To the best of your perseverance and attempts to protect data, there is the issue of data substitution. I use VueJS on the site, there are variables of various types. For example, after authorizing a user, I get the user.lvl variable from the store , user.lvl clear that this is the user level and it depends on what data to display what does not, also concerns id so on. The question is, I couldn’t change myself, but is it possible to replace them in a browser or phone via js for example? I can easily change the data of the app itself or the components (on the local server), but they did not get access to the store, even in DevTools .

I could not track the data myself, besides those that come by ajax request, but here I just see them, the question is the substitution by the regular method.

The access to the closed sections of the site after the substitution or access to the personal data when changing the user id excites.

  • one
    A small hint: the user can at least program his own browser with any possibilities in it - andreymal
  • @andreymal did not understand the hint :) I understand that he can do what he wants. But I don’t want to show him when replacing the id after a request to the server of what is not needed) - Ruslan Semenov
  • @RuslanSemenov if you are afraid that a request with a “wrong” id will be sent to the server - so the browser and vue have nothing to do with it: I can just write a script in a dozen lines on the same nodejs, which will send any requests anywhere my desire. Protection should be on the server, not in the browser and not in vue. Yes, and in the browsers editing requests also exist - andreymal
  • Yes I agree. But the application is already spinning on the client side and if I have a v-if="user.lvl > 2" check v-if="user.lvl > 2" then by replacing 1 with 99, will I get everything? Also, isAdmin true / false responds to any data depending on any data - Ruslan Semenov
  • @RuslanSemenov this check just needs to be on the server. Even if the user replaces 1 with 99, then even he will see all the dangerous buttons - they will simply be disabled, because checking on the server should kick out such a user with an access error - andreymal

0