CODEWITHSUNDEEP
collectionsmeteormeteor-collection2
fabien
fabien

Reputation: 2258

Meteor collection2 deny rules : grant full permissions to the server

I have a user collection with some deny update rules :

// The roles object
Schema.roles = new SimpleSchema({
    maker: {
        type: Boolean,
        denyUpdate: true
    },
    admin: {
        type: Boolean,
        denyUpdate: true
    }
});

Those datas are in the user profile. And obviously, I don't want the random user to be able to modify profile.roles.admin. But the admin user should be able to.

It works partially : the user cannot modify this boolean. But it should be possible to modify it from the following server side code.

Meteor.users.update({_id: targetID'}, {$set: {'profile.roles.admin': true}});

Is there a way to tell collection2 to trust the code from the server ?

EDIT : the answer

Thanks to the answer below, here's the code I use now for my schema :

admin: {
    type: Boolean,
    autoValue: function() {
        // If the code is not from the server (isFromTrustedCode)
        // unset the update
        if(!this.isFromTrustedCode)
            this.unset();
    }
}

The isFromTrustedCode boolean tell if the code should be trusted. Simple. By the way, the autoValue option return a complete object about the update (or insert or set or upsert) action. Here are the parametters :

isSet: true
unset: [Function]
value: true
operator: '$set'
field: [Function]
siblingField: [Function]
isInsert: false
isUpdate: true
isUpsert: false
userId: null
isFromTrustedCode: true

So it is possible to have a really fine-grained management of the writing rights rules.

Upvotes: 0

Views: 445

Answers (1)

Serkan Durusoy
Serkan Durusoy

Reputation: 5472

As provided in the official documentation, you can bypass validation using a simple option:

To skip validation, use the validate: false option when calling insert or update. On the client (untrusted code), this will skip only client-side validation. On the server (trusted code), it will skip all validation.

But if you want more fine-grained control, instead of using a denyUpdate, you can use a custom validation type which has a this context with a isFromTrustedCode property which is true when called on the server.

Upvotes: 1

Related Questions