doy2255 2014-06-17 11:45
浏览 23
已采纳

为FB选项卡应用程序创建“编辑设置”页面并对其进行保护

I'm trying to create a FB tab app. It's supposed to have an Edit Settings page, which is obviously supposed to be accessible only to page admins. If the admin is watching the tab - he's supposed to see a link to that page. I can do something like that with jQuery:

var is_admin = "<?php echo isset( $page['admin'] ) && $page['admin'] == 1 ? true : false; ?>";
if(is_admin)
   $("<div id='div_edit_settings'>Edit Settings</div>").appendTo("some_div");

And later I can detect when this link was clicked and present the page (it's supposed to be displayed inside the tab as well, but since it's stored on the server it's also accessible through a browser).

The problem is that JS is visible to Firebug and other browser developer tools, so somebody could just insert a code line and see that link. So what can I do to make sure that only admins can see that Edit page and that only admins are editing the settings? How can I protect the link and the Edit page itself?

  • 写回答

1条回答 默认 最新

  • douyu2817 2014-06-17 20:43
    关注

    You should use PHP to insert the link into your page, something like:

    <?php if ( isset( $page['admin'] ) && $page['admin'] == 1 ) : ?>
  <div id='div_edit_settings'>Edit Settings</div>
<?php endif; ?>

    You should also save the admin status to a session (with a name that isn't obvious, possible random string you can later check for), so that you can verify on other pages if the user viewing the link is actually an admin (you lost access to $page['admin'] when accessing other pages, unless you pass the signed_request to subsequent page calls.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥20 基于MSP430f5529的MPU6050驱动,求出欧拉角
  • ¥20 Java-Oj-桌布的计算
  • ¥15 powerbuilder中的datawindow数据整合到新的DataWindow
  • ¥20 有人知道这种图怎么画吗?
  • ¥15 pyqt6如何引用qrc文件加载里面的的资源
  • ¥15 安卓JNI项目使用lua上的问题
  • ¥20 RL+GNN解决人员排班问题时梯度消失
  • ¥60 要数控稳压电源测试数据
  • ¥15 能帮我写下这个编程吗
  • ¥15 ikuai客户端l2tp协议链接报终止15信号和无法将p.p.p6转换为我的l2tp线路