CODEWITHSUNDEEP
javascriptmeteormeteor-accounts
Justin Maat
Justin Maat

Reputation: 1975

Access denied [403] when updating user accounts client-side in Meteor

I'm reading through the docs for Meteor here and the useraccounts package here but can't find an answer. I've added the useraccounts package successfully and have created a few users, but now I want to add some data to the record in the collection for a given user.

For example, after account creation and login. I want the user to be able to add/edit some fields on their record (short biography, etc..), but I keep getting a 403 error whenever performing a Meteor.users.update(..).

My login config file can be found here.

The code that's causing an error:

Template.editProfile.events({
    'submit form': function(e) {
        e.preventDefault();

        var profileInfo = {
            displayName: $(e.target).find('[name=displayName]').val(),
            tagLine: $(e.target).find('[name=tagLine]').val(),
            aboutMe: $(e.target).find('[name=aboutMe]').val()
        };

        Meteor.users.update(
            { _id: Meteor.userId()},
            { $set: profileInfo},
            function (err) {
                if(err) {
                    console.log('there was an error submitting editProfile data');
                    console.log(err);
                } else {
                    Router.go('profile');
                }
            }
        );
    }
});

Doing console logs show the Meteor.userId() coming back correctly so I'm not sure what the problem is. I'm assuming it's an issue with allow/deny but I don't even know where to begin to troubleshoot.

The exact error is:

error: 403

errorType: "Meteor.Error"

message: "Access denied [403]"

reason: "Access denied"

Upvotes: 3

Views: 974

Answers (1)

Matthias A. Eckhart
Matthias A. Eckhart

Reputation: 5156

By removing the insecure package, client-side write access will be denied by default. If you want to allow clients to write directly to a collection, you need to define rules.

For example:

Meteor.users.allow({
    update: ownsDocument
});

ownsDocument = function (userId, doc) {
    return doc && doc.userId === userId;
};

The ownsDocument() function checks if the userId specified owns the document. In addition to the update callback, you can set rules for insert and remove.

Read more about Meteor's collection.allow(options), access a demo app or clone the repository.

Upvotes: 4

Related Questions