CODEWITHSUNDEEP
meteor
Lindsayts
Lindsayts

Reputation: 327

Are there 'private' server methods in Meteor?

Is there a way to stop a Client calling a Server Method from the browser console?

I gather from the Unofficial Meteor FAQ that there isn't. I just wanted to check if that's definitely the case - the FAQ isn't really specific. I mean are there no 'private' methods?

Upvotes: 8

Views: 2059

Answers (2)

tanutapi
tanutapi

Reputation: 1113

I made a private method by checking this.connection to be null.

Ref: http://docs.meteor.com/#/full/method_connection

Ex.

Meteor.methods({
  'serverCallOnlyFunc': function() {
    if (this.connection === null) {
      //do something
    } else {
      throw(new Meteor.Error(500, 'Permission denied!'));
    }
  }
});

Upvotes: 3

Tarang
Tarang

Reputation: 75945

In meteor the 'methods' described by Meteor.methods can all be called from the client. In this sense there aren't private methods because the purpose of the RPC call is for the client to make the call.

If you want a 'private' method you could use an ordinary JavaScript method. If you define the method with var, it would only be accessible within the file, and cannot be called from the client.

var yourmethod = function() {
    ...
}

which is equivalent to:

function yourmethod() { 
    ...
}

Or you can define it so any of your server script can use it:

yourmethod = function() {
    ....
}

If you mean you want a RPC method call that is accessible only from the javascript code, but not from the javascript console in chrome this isn't possible. This is because the idea behind meteor is all RPCs from the client are not trusted & there is no way to distinguish whether it came from the console or not. You can use meteor user authentication or Collection.allow or Collection.deny methods to prevent any unauthorized changes this way.

Upvotes: 17

Related Questions