Are server-side methods also governed by publications? I thought a server-side method can modify whatever it wants.
In my case, in template
's helper, I have Meteor.call('serverMethod', id)
and then define serverMethod
in collections/methods.js
.
Through the publication, template
only has access to one record (the id
one), but that's the only one serverMethod
sees.
But when I publish everything to template
, serverMethod
sees everything.
Isn't that odd? I thought the purpose of a server method is to be trusted, so that I can modify anything I need to without publishing the entire database? Is there something I'm missing?
My allow
permissions are set fine, same as other parts of the app which work fine.
Your initial assumptions are correct - methods on the server are "trusted code", and therefore have full access to your collections (publications and deny rules do not apply).
I think the confusion is that serverMethod
is defined in a shared directory and therefore will run on both the client and the server (unless it's wrapped with a Meteor.isServer
). So if the call is initiated on the client, it will run both versions. Depending on what the method actually does and how you are calling it, you may only see the result of the client-side call. The client version of a method is limited by what has been published to the client.
I suspect that inside of your helper you are doing something like:
var result = Meteor.call('serverMethod', id);
This says: "Call the client simulation of serverMethod
and immediately return the result". In order to actually get the value from the server you'd need to use a callback. For example:
Meteor.call('serverMethod', id, function (error, result) { console.log(result); } );
If the above information is an accurate depiction of the problem, you now have another issue to deal with: you can't use the value of an asynchronous callback inside of a template helper. See this question for more information.
Server side methods have access to everything and aren't subject to the allow or deny rules or publish methods
You have to manually check if the user has permissions to do something per method.
Maybe because the serverMethod
is being passed the id
from the client, so technically it only ends up seeing what the client can see? (since the id is whats passed back up to the server)
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.