logo
down
shadow

Security for Meteor methods while allowing server to run code too


Security for Meteor methods while allowing server to run code too

By : Giorgos Gkotsis
Date : November 19 2020, 12:01 PM
Hope that helps Refactor your shared code (that is run both in the method and in the startup function) into a separate function, and use it in both places:
code :
var sharedFunction = function() {
  // do something
};

Meteor.methods({
  "foo": function() {
    if (Meteor.user().isAdmin) {
      sharedFunction();
    }
  }
}

Meteor.startup(sharedFunction);


Share : facebook icon twitter icon
Meteor.methods and security

Meteor.methods and security


By : user2418195
Date : March 29 2020, 07:55 AM
it helps some times Nothing is stopping a hacker from doing that. In the method, you must check that the user has done something that gives him the right to call the method.
Meteor allowing me to subscribe from anywhere, security flaw

Meteor allowing me to subscribe from anywhere, security flaw


By : Kasus RMC
Date : March 29 2020, 07:55 AM
this will help Yes, you should add security checks to all publishers and methods.
Here's an example publisher that ensures the user is logged in and is a member of the group before receiving any posts related to the group:
code :
Meteor.publish('postsForGroup', function(groupId) {
  check(groupId, String);

  // make sure the user is a member of the group
  var group = Groups.findOne(groupId);
  if (!_.contains(group.members, this.userId))
    throw new Meteor.Error(403, 'You must be a member of the group!');

  return Posts.find({groupId: groupId});
});
Meteor.methods({
  'groups.update.name': function(groupId, name) {
    check(groupId, String);
    check(name, String);

    // make sure the user is an admin of the group
    var group = Groups.findOne(groupId);
    if (!_.contains(group.admins, this.userId))
      throw new Meteor.Error(403, 'You must be an admin of the group!');

    // make sure the name isn't empty
    if (!name.length)
      throw new Meteor.Error(403, 'Name can not be empty!');

    return Groups.update(groupId, {$set: {name: name}});
  }
});
Security in Meteor methods - should I pass an object or just the id to the server?

Security in Meteor methods - should I pass an object or just the id to the server?


By : Raj Sekhar
Date : March 29 2020, 07:55 AM
will help you Pass the ID and fetch the object on the server.
The key security principle here is:
code :
myMethodTwo: function (invId) {
  var invitation = Invitations.findOne({_id: invId, owner: this.userId});
  if (typeof(invitation) === 'undefined'){
    throw new Meteor.Error("User has no object with that id",
                           "Object does not exist or user is not owner");
  }
  // check state, 
  // then, update invitation, send out an email, etc.
} 
Sending array between server and client via Meteor.methods using angular-meteor

Sending array between server and client via Meteor.methods using angular-meteor


By : Ari
Date : March 29 2020, 07:55 AM
around this issue Turns out that my problem was in the Method.call()
It returns an error and a result, rather than a single object.
code :
    ///client
    Meteor.call("getRoles", Meteor.userId(), (error, data) => {
      if (!error) {
        console.log("data", data);
        this.roles = data;
        console.log("roles", this.roles);
      } else {
        console.log("error: ", error);
      }
    });

    ///output
demo.component.ts:57 user list []
demo.component.ts:58 roles []
demo.component.ts:57 user list [Object]
demo.component.ts:58 roles []
demo.component.ts:49 data ["admin","spectator","coach","player"]
demo.component.ts:51 roles ["admin","spectator","coach","player"]
demo.component.ts:49 data ["admin","spectator","coach","player"]
demo.component.ts:51 roles ["admin","spectator","coach","player"]
demo.component.ts:57 user list [Object, Object, Object, Object, Object, Object]
demo.component.ts:58 roles ["admin","spectator","coach","player"]
demo.component.ts:49 data ["admin","spectator","coach","player"]
demo.component.ts:51 roles ["admin","spectator","coach","player"]
Hide secret server code called from Meteor Methods

Hide secret server code called from Meteor Methods


By : Tushar Gupta
Date : March 29 2020, 07:55 AM
like below fixes the issue I finally figured this out I think.
The short version is, ignore what it says here; I believe it's incorrect or at least misleading:
code :
/*   /imports/methods.js   */

// Note: no conditional use of require this time

Meteor.Methods({
  'myMethodName': function() {
    // ... common code
    if (Meteor.isServer) {
      ServerCode.secret() // <-- Defined as a global outside of this file!
    }
    // ... common code
  }
})
/*   /imports/server-code.js   */

class _ServerCode {
  secret() {
    console.log("Shhhhhh, I'm secret()!")
  }
}
// Here's the global variable:
SecretCode = new _SecretCode()
/*   /server/server-main.js   */

import '/imports/secret-code' // <-- declare the global
import '/imports/methods' // <-- use the global in here
/*   /client/client-main.js   */ 

import '/imports/methods'

//...

Meteor.call('myMethodName')
shadow
Privacy Policy - Terms - Contact Us © festivalmusicasacra.org