Collection definitions in root directory

autopublish package exists: data can be seen and updated;
Remove autopublish package: data can't be seen;

Add publish method in server js file, and subscribe methods in client js file: data can be seen and updated;

# in server:
Meteor.publish('mallData', function(){
  return Mall.find();
});

# in client:
Meteor.subscribe('mallData');

Remove insecure package: data can be seen, but can't be updated;

Add an allow rule in js file in root directory: only "status" field can be updated.

Mall.allow({
  update: function(userId, doc, fieldNames, modifier){
    if ((fieldNames.length === 1) &&
        (fieldNames[0] === 'status')){
      return true;
    }
  }
});

Meanwhile inserting and remvoing operations will be denied by the server.

Ref:

METEOR SECURITY 101 by Josh Owens.

Autopubsh and Insecure Package in Meteor

Collection definitions in root directory

Published

Last Updated

Category

Tags

Contact