Shulou(Shulou.com)06/02 Report--

Today I'll show you why the word User is not used in code. The content of the article is good. Now I would like to share it with you. Friends who feel in need can understand it. I hope it will be helpful to you. Let's read it along with the editor's ideas.

When you realize that the lightweight, simple ideas you made at the beginning of the project are completely wrong, you have spent six months on the project.

Now you need to solve these problems in order to keep the system running, and you find that you spend far more energy on this project than you expected, and if you had done it the right way in the first place, this wouldn't have happened.

Today, what I want to tell you is a common mistake, a word that will bring you endless problems, and that is "users".

There are two basic mistakes in this word:

"User" is almost never a good description of your needs. "User" can lead to a basic design security flaw. The concept of "user" is vague, and the use of more precise terminology almost always works better. You have no users.

In the beginning, no software system really had a user. At first glance, "user" is a good description, but when you think about it, you realize that your business logic is actually much more complex than that.

I will use three examples, starting from an extreme situation. There is no "users" in the flight reservation system.

I have written access control logic for the flight reservation system, and here are only a few of the requirements:

Passengers can use the reservation record code to view the reservation information through the website. Buyers can modify the reservation information on the website by the last four digits of the credit card number. Travel agencies can view and modify their reservations. Airline flight attendants can view and modify reservation information according to their roles and airlines, which requires passengers to provide identity information.

No longer enumerate one by one. Some of the basic concepts related to human beings are "traveler", "agent" (websites can also be regarded as agents) and "purchasers". The concept of "user" is useless at all, and I don't use the word at all in many requests. For example, our request must include the documents of passengers and agents, not those of users.

Unix does not have "users"

Let's look at a different example. Unix (known as POSIX these days) has users who can log in and execute code. Doesn't this look good? Let's take a closer look.

If we think of everything as "users", we will have:

System services such as email or web servers that log in using terminals or graphical interfaces will also run as "users". For example, nginx can be run as a httpd user. On the server, multiple people often share an administrator account for SSH login (for example, Amazon's Ubuntu virtual machine default SSH account is' ubuntu') root identity, which is different from the other identities above.

The above four are almost different concepts, but they are all "users" on POSIX. As we will see in a moment, calling these concepts' user' 'can lead to a lot of security problems.

Operationally, because the user model boundary of POSIX exists, we can't even find a way to say "only let Alice and Bob log in through this account".

SaaS service provider does not have "users"

Jeremy Green recently posted on Twitter about the application of the user model in SaaS, and it reminded me for the first time to write this article. His basic point is

SaaS services almost always:

A person in an organization pays for the service. One or more people share the service.

If you treat these people as users in the first place, you will fall into a painful world. You can't build a team model, you can't build a model that pays for multiple people at the same time, and then you start to revamp your system. Now that you've learned a lesson in the SaaS case, let's take a look at your life.

But this is just one of many examples: the concept of "users" is too vague. If you start to doubt the word "user", you may eventually find that you only need two concepts: team (for organizing relationships and payments) and members (people who actually use the service).

"Users" is a security issue

The word "user" is not just a matter of business logic, it also leads to a series of security problems.

The word "user" is so vague that it fundamentally merges the two concepts:

Alone. Their representativeness in software.

To illustrate this, suppose you are visiting a malicious website where images on its server cause your browser's memory to overflow. The remote website controls your browser and starts uploading your files to his service.

Why can it do that?

Because the browser runs as a system user, it is considered to be the same as your human identity, but in fact you are different. As user, you don't want to upload files. But the system's account is also 'user', can upload files, if the browser is running under your account, all its actions will be regarded as your intention, that is, you let it do so, in fact, it is not.

This is the problem known as Confused Deputy. If you use the word "user" to describe two fundamentally different things, then the problem is more likely to be part of your design.

The value of pre-design

Spending less time dealing with the same problem is the key to becoming a productive programmer. Using vague concepts such as "users" to organize your software will take a lot of time and effort to solve future problems. Coding from the beginning seems to be high-yielding, but the opposite is true.

The next time you start a new software project, take a few hours to determine your terminology and concepts in advance: you will still not be completely correct, but you will do better. In the future, you will appreciate all the work you have done to prevent waste.

That's why the word User is not used in the code, and more about why the word User is not used in the code. You can search for previous articles or browse the following articles to learn! I believe the editor will add more knowledge to you. I hope you can support it!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.