soundly_typed
Reputation: 40386
Deny all collection actions?
I've removed the autopublish package, and I'm perfectly ok with only using Meteor.methods as the sole interface to call procedures on the server. However, I just discovered the client can still delete things by simply running MyModel.remove({ _id: 'someid' }) in the console.
What's the best way to deny all such actions on all collections in Meteor?
Upvotes: 1
Views: 118
Answers (2)
Tarang
Reputation: 75975
The easiest way is to remove the insecure package. If you have no allow rules then by default all inserts from the client will be denied:
meteor remove insecure
Upvotes: 4
David Weldon
Reputation: 64342
Remove the insecure package. If you don't have any allow or deny rules, the default action will be to deny all client-side database mutations.
Upvotes: 1
Related Questions
- How to deny collection insert/update in the server side
- Meteor restrict access to files and collections
- How to deny access for fetch operations
- What logic must I cover in Collection.allow and Collection.deny to ensure it's secure?
- Meteor - Deny read?
- Meteor collection2 deny rules : grant full permissions to the server
- Meteor Deny certain Collection Fields
- How to prevent collection modification via console for an otherwise secure update operation?
- allow and deny parameters in collections
- How to protect part of a collection schema in Meteor?