when every function call to server, in server side before you do the action , you need to check if this user is allowed to do this action.

当每个函数调用服务器时，在服务器端执行操作之前，您需要检查是否允许此用户执行此操作。

It is necessary to build server-side permissions mechanism to prevent unwanted actions, you may want to define groups of users, not individual user level, it makes it easier.

有必要建立服务器端权限机制以防止不需要的操作，您可能希望定义用户组，而不是单个用户级别，这样更容易。

Anything on the client side could be spoofed. If you use some type of secret key + parameter signature, your signature algorithm must be sufficiently random/secure that it cannot be reverse engineered.

客户端的任何内容都可能被欺骗。如果您使用某种类型的密钥 + 参数签名，您的签名算法必须足够随机/安全，不能被逆向工程。

The overhead created with adding client side complexity is better spent crafting proper server side validations.

增加客户端复杂性所产生的开销最好用于制作适当的服务器端验证。

What would you do to minimize hacking in that case ?

在这种情况下，您会怎么做才能最大程度地减少黑客攻击？

You can't work around using validation methods on the server side.

您无法在服务器端使用验证方法。

A more simple way to validate is to add another parameter for every javascript function, this parameter must be a signature between previous parameters and a secret key.
How good sounds the solution above to you ?

一种更简单的验证方法是为每个 javascript 函数添加另一个参数，该参数必须是先前参数和密钥之间的签名。
上面的解决方案对您来说听起来有多好？

And how do you use the secret key without the client seeing it? As you self mentioned before, the user easily can manipulate your javascript, and also he can read everything in javascript, the secret key, too!

以及如何在没有客户端看到的情况下使用密钥？正如您之前提到的，用户可以轻松操作您的 javascript，并且他也可以读取 javascript 中的所有内容，密钥！

You can't hide anything in JavaScript, the only thing you can do is to obscure things in JavaScript, and hope nobody tries to find out what you try to hide.

你不能在 JavaScript 中隐藏任何东西，你唯一能做的就是在 JavaScript 中隐藏一些东西，并希望没有人试图找出你试图隐藏的东西。

This is why you must validate everything on the server. You can never guarantee that the user won't mess about with things on the client.

这就是为什么您必须验证服务器上的所有内容。您永远无法保证用户不会在客户端上乱搞事情。

Everything, even your javascript source code is visible to the client and can be changed by them, theres no way around this.

一切，甚至您的 javascript 源代码对客户端都是可见的，并且可以由他们更改，这是无法解决的。

There's really no way to do this completely client-side. If the person has a valid auth cookie, they can craft any sort of request they want regardless of the code on the page and send it to your server. You can do things with other, encrypted cookies that must sent back with the request and also must match the inputs on the page, but you still need to check this server-side. Server-side security is essential in protecting your application from unauthorized access and you must ensure, server-side, that every action being performed is one that the user is authorized to perform.

真的没有办法完全在客户端做到这一点。如果此人拥有有效的 auth cookie，则他们可以制作任何他们想要的请求，而不管页面上的代码如何，并将其发送到您的服务器。您可以使用其他加密的 cookie，这些 cookie 必须与请求一起发回，并且还必须与页面上的输入匹配，但您仍然需要检查此服务器端。服务器端安全性对于保护您的应用程序免遭未经授权的访问至关重要，您必须确保在服务器端执行的每项操作都是用户有权执行的操作。

You certainly cannot hide anything client side, so there is little point in trying to do so.

您当然无法隐藏客户端的任何内容，因此尝试这样做毫无意义。

If what you are saying is that you are sending something like a user ID and you want to ensure that the returned value has not been illicitly changed then the simplest way of doing so it probably to generate and send a UUIDalongside it, and check on return that the value of the uuid matched that stored on the server for the userID before doing any further processing. The space for uuid's is so large that you can discount any false hits ever occurring.

如果你说的是你正在发送类似用户 ID 的东西，并且你想确保返回的值没有被非法更改，那么最简单的方法可能是生成并发送一个UUID，并检查在进行任何进一步处理之前，返回 uuid 的值与存储在服务器上的用户 ID 的值相匹配。uuid 的空间非常大，您可以忽略任何发生的误报。

As to actual server side processing vulnerabilities:- you should simply always build in your security/permissions as close to the database as you can, and defiantly not in the client. There's nothing different in the scenario you outline from any normal client-server design.

至于实际的服务器端处理漏洞：-您应该始终尽可能靠近数据库构建安全/权限，并且绝对不要在客户端中构建。您概述的场景与任何普通的客户端-服务器设计没有什么不同。

Peter from Teamworkpm.net here - I'm one of the main developers and was concerned to come across this report about a security problem. I checked into this and I am happy that is not possible to delete a task that you shouldn't have access to.

来自 Teamworkpm.net 的 Peter 在这里 - 我是主要开发人员之一，并且担心遇到此关于安全问题的报告。我检查了这个，我很高兴无法删除您不应该访问的任务。

You get a message saying "You do not have permission to delete this task".

您收到一条消息，提示“您无权删除此任务”。

I think it is just the confusion between being a Project Administrator and being an overall Administrator that is the problem here :- You may not be a member of a project but as an overall administrator, you still have permission to delete any task within your Teamwork site. This is by design.

我认为这只是项目管理员和整体管理员之间的混淆，这就是这里的问题：-您可能不是项目的成员，但作为整体管理员，您仍然有权删除团队中的任何任务地点。这是设计使然。

We take security very seriously and it's all implemented server side because as Jens F says, we can't reply on client side security.

我们非常重视安全性，这一切都在服务器端实现，因为正如 Jens F 所说，我们无法回复客户端安全性。

If you do come across any issues in TeamworkPM that you would like to discuss, we'd encourage any of you to just hit the feedback link and you'll typically get an answer within a few hours.

如果您确实在 TeamworkPM 中遇到任何想要讨论的问题，我们鼓励你们中的任何人点击反馈链接，您通常会在几个小时内得到答复。