Comments (5)
We don't offer that because it's a false guarantee. You can always pause the debugger in the right place and change any variable. We intentionally don't provide an option like this because it would give a false impression of a security guarantee where there is none. If you don't want some code to run, don't send that code to the client.
from react-devtools.
Restricting developer tools is not the solution, the app would have bigger security concerns if no server-side validation is actually performed and trusts everything the client sends.
It is similar to only relying on client-side JavaScript to perform input validation and hoping it solves SQL injection, an attacker can send the HTTP request by themselves, or make the validation function always return true.
from react-devtools.
Hello @ngyikp ,
First of all, thanks for your quick answer :) .
We have server-side validation and it won't be a problem for us that somebody try to make an action that is not allowed. For instance, the same page must be shown in a read-only mode depending on the kind of role. If someone change the role and go from a read-only role to a full-access role this person will be allowed to change, locally, the data and try to send it to the server with the Save button. The server will response: "You are not allowed to do this action" or whatever. That it's controlled.
What I see a little bit weird is that the user can change the role defined in the Context because, in fact, is a component with its own state and this state can be changed using the React Developer Tools. I do not know if saving this kind of data in the Context is the best option.
What do you think @ngyikp ?
Thanks for your answers!
from react-devtools.
@aaronplanell this has nothing to do with devtools.
Everything you do in front is done in the browser, so with any debugger or console, you can show and edit any variable in your code base.
However indeed, we could expect that the devtools would be deactivated in production environment, as Vuejs ones do.
from react-devtools.
Hello @mathieutu ,
I understand that but, at least, to try not to put things so easier, hehehe.
I solved this issue because I used hooks with React 16.8 and the state is not updatable from the DevTools (AFAIK, it will be in React 16.9). Using the state of a component, it's editable and the user can change isAuth
value to true
, then the user will see the inputs and the save button. If the user try to save the API will answer "You don't have permissions" and it's OK.
It would be nice to have a property to say: "OK. This state is not editable from DevTools" or, depending on the build (develop or production), make this decision.
What do you think?
Thanks for your answer :)
from react-devtools.
Related Issues (20)
- Can't install in Firefox HOT 1
- Expand all elements using default browser hot keys HOT 1
- Search input text colour HOT 4
- Is it unmaintainable? HOT 1
- React App not Functioning with Extension Enabled HOT 1
- Having the devtools extension enabled breaks Kibana HOT 3
- New devtools is not compatible with React 0.14 HOT 5
- New Devtools: Where is Highlight Updates? HOT 5
- New Devtools Broken on Firefox 68.0.2, Windows 10 HOT 1
- React Devtools - Component selection bug v4 HOT 1
- Remove emoji from browser devtools tabs HOT 2
- New Devtools: Update props does not rerender component HOT 2
- Inspector: clicking on element with style object value causes crash HOT 1
- Firefox Private Browser Support HOT 1
- Show component file path HOT 1
- Long interaction names cannot be seen HOT 1
- Getting maximum call stack exceeded on backend.js when rendering many elements. HOT 2
- Using react-devtools to inspect component that only appears on hover HOT 1
- React devtools 4.0.4 (8/18/2019) Expected to find root ID. HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from react-devtools.