流星 - 个人资料编辑安全

Question

So I found this article. Is it still actuall or has meanwhile something changed? Should I be worried about user's security? I'm updating user data like so:

Meteor.users.update({_id: Meteor.userId()}, {$set: {'profile.name': name, 'profile.surname': surname}})

Answer 1

The profile field of Meteor.users is subject to debate and might be deprecated in the future (or at least its specific auto-publish behavior). See this MDG document . Quote:

The profile field on user documents is very dangerous. New Meteor developers often think it's a good place for all data they put on their user documents, and it's especially convenient because it's automatically published to the client. Unfortunately, profile is a bad place for pretty much anything. In any real app, you will want to validate every bit of data that enters your database.

My advice is to not using the profile field at all. Instead, add whatever fields you need to Meteor.users and publish them the usual way.