Reputation: 3211
Meteor update access denied despite presence of insecure
I have the insecure package installed and yet I get the following in the client console:
Meteor.user()
Object {_id: "4Dyaa5wRmxmq7j7XF", profile: Object, services: Object}_id: "4Dyaa5wRmxmq7j7XF"profile: Objectname: "Mel Oug"__proto__: Objectservices: Objectfacebook: Object__proto__: Object__proto__: Object__defineGetter__: function __defineGetter__() { [native code] }__defineSetter__: function __defineSetter__() { [native code] }__lookupGetter__: function __lookupGetter__() { [native code] }__lookupSetter__: function __lookupSetter__() { [native code] }constructor: function Object() { [native code] }hasOwnProperty: function hasOwnProperty() { [native code] }isPrototypeOf: function isPrototypeOf() { [native code] }propertyIsEnumerable: function propertyIsEnumerable() { [native code] }toLocaleString: function toLocaleString() { [native code] }toString: function toString() { [native code] }valueOf: function valueOf() { [native code] }get __proto__: function __proto__() { [native code] }set __proto__: function __proto__() { [native code] }
va = Meteor.user()._id
"4Dyaa5wRmxmq7j7XF"
Meteor.users.update(va, {$set: {email: '[email protected]'}})
1
debug.js:41 update failed: Access denied
I'm not sure what other relevant code to include. I have no deny (or allow) rules set up. It's a pretty straight forward user setup, I just can't see what might block it.
Here's what packages I got:
ccounts-facebook 1.0.4 Login service for Facebook accounts
accounts-google 1.0.4 Login service for Google accounts
accounts-twitter 1.0.4 Login service for Twitter accounts
aldeed:autoform 5.1.2 Easily create forms with automatic insert a...
aldeed:collection2 2.3.3 Automatic validation of insert and update o...
autopublish 1.0.3 Publish the entire database to all clients
blaze 2.1.2 Meteor Reactive Templating library
cmather:handlebars-server 2.0.0 Allows handlebars templates to be defined o...
email 1.0.6 Send email messages
insecure 1.0.3 Allow all database writes by default
iron:router 1.0.7 Routing specifically designed for Meteor
meteor-platform 1.2.2 Include a standard set of Meteor packages i...
mquandalle:jade 0.4.1* Jade template language
msavin:mongol 1.0.30* The insanely handy development package for...
service-configuration 1.0.4 Manage the configuration for third-party se...
twbs:bootstrap 3.3.4 The most popular front-end framework for de...
useraccounts:bootstrap 1.8.1* Accounts Templates styled for Twitter Boots
Upvotes: 4
Views: 684
Answers (1)
Reputation: 2469
The Meteor.users collection is a special case, with an established structure and permissions. You are only allowed to update the user.profile field from the client, even with the insecure package installed.
This will work, for example:
Meteor.users.update(va, {$set: {'profile.email': '[email protected]'}})
Emails in general are saved from server code and pushed to the provided 'emails' array in the user record.
"emails" : [ { "address" : "[email protected]", "verified" : false } ],
From the meteor docs:
Users are by default allowed to specify their own profile field with Accounts.createUser and modify it with Meteor.users.update. To allow users to edit additional fields, use Meteor.users.allow.
Upvotes: 6
Related Questions
- MeteorJS App Security
- Meteor Mongo Insert Failed -- Access Denied
- Meteor and MongoDB: Authentication failures
- Uncaught Error: Not permitted. Untrusted code may only update documents by ID. [403]
- Attempting to update Meteor.users results in "Access Denied"
- Access denied [403] when updating user accounts client-side in Meteor
- Meteor cannot update mongo?
- Meteor mongo: Untrusted code may only update documents by ID. [403]
- Meteor Collection.allow
- Meteor Update collection - Uncaught Error: Not permitted. Untrusted code may only update documents by ID. [403]