Reputation: 843
meteor with flow-router: Do I have access to Meteor.User from within a flow-router trigger?
I believe that from security perspective, it is best to handle access to restricted URL in 2 places:
- Routing level: Make sure no-one will be able to get to a route which is not permitted for
- Template level: No restricted data will be showed before verifying permissions.
Iron-Router support the first way, but I want to use Flow-Router.
I found an article by Satya van He-men, Meteor: Using Flow Router for authentication and permissions
In This article he is using routing groups and triggers to "filter" routes by permissions.
But in this article he is using
Meteor.loggingIn(), Meteor.userId(), Meteor.user() and Roles.userIsInRole() inside the triggersEnter: function of the FlowRouter object.
Is it possible that any of those functions will be undefined during the triggersEnter execution?
Is it safe to use them?
I like the pattern from the article, but want to make sure it is safe to use (or can become safe with few changes)
Upvotes: 2
Views: 613
Answers (2)
Reputation: 3226
I also noted that Roles.userIsInRole() as well as other security related functions can return undefined in the triggerEnter function. Since I also noticed that the article you mentioned is using them without issues, it led me to investigate.
Here is why, as far as I can tell: if you use a container, you need to make sure that the user is not currently logging in at this level before loading any template in the field (and thus trigger the route enter function with no Meteor.userId().
So you can use all user rights related functions in triggerEnter as long as you do something like this in your container, basically preventing any template from being loaded as long as the user is logging in:
{{#if authInProcess}}
<p>loading ...</p>
{{else}}
{{> Template.dynamic template=layout}} // load your template
{{/if}}
with an helper looking like that:
authInProcess: function() {
return Meteor.loggingIn();
},
Note that this code is taken from there: https://kadira.io/academy/meteor-routing-guide/content/implementing-auth-logic-and-permissions
Upvotes: 1
Reputation:
I think your reason for concern is valid it's possible because triggersEnter called just once I recommend reading the official tutorial on the Auth Logic Permission which is on the Template level and it's reactive.
Previously, we did this in the router layer (specifically with Iron Router). However, that's not a good design and we don't recommend it.
https://kadira.io/academy/meteor-routing-guide/content/implementing-auth-logic-and-permissions
Upvotes: 1
Related Questions
- Meteor-roles (alanning). Roles.userIsInRole return false
- How to wait for Meteor.user() and redirect if undefined from within the container?
- How to access FlowRouter subscriptions in Meteor template helpers?
- Check if user exists in every route with Flow Router
- Meteor.user() is undefined when directly access the url
- Meteor.user() on iron-router server side
- Meteor Iron-router server-side only route how to get the current user?
- Meteor User update calls router
- How can I access another users (not current user) profile from the userId in Meteor?
- How to get current user in custom route?