stackoom
  简体   繁体   中英

Accessing collections from Meteor server-side method

 原文  2014-07-02 16:01:46       javascript/ meteor

Question

Are server-side methods also governed by publications? I thought a server-side method can modify whatever it wants.

In my case, in template 's helper, I have Meteor.call('serverMethod', id) and then define serverMethod in collections/methods.js .

Through the publication, template only has access to one record (the id one), but that's the only one serverMethod sees.

But when I publish everything to template , serverMethod sees everything.

Isn't that odd? I thought the purpose of a server method is to be trusted, so that I can modify anything I need to without publishing the entire database? Is there something I'm missing?

My allow permissions are set fine, same as other parts of the app which work fine.

2 answers

solution1
 1  2014-07-02 18:27:55

Your initial assumptions are correct - methods on the server are "trusted code", and therefore have full access to your collections (publications and deny rules do not apply).

I think the confusion is that serverMethod is defined in a shared directory and therefore will run on both the client and the server (unless it's wrapped with a Meteor.isServer ). So if the call is initiated on the client, it will run both versions. Depending on what the method actually does and how you are calling it, you may only see the result of the client-side call. The client version of a method is limited by what has been published to the client.

I suspect that inside of your helper you are doing something like: 

var result = Meteor.call('serverMethod', id);

This says: "Call the client simulation of serverMethod and immediately return the result". In order to actually get the value from the server you'd need to use a callback. For example: 

Meteor.call('serverMethod', id, function (error, result) { console.log(result); } );

If the above information is an accurate depiction of the problem, you now have another issue to deal with: you can't use the value of an asynchronous callback inside of a template helper. See this question for more information.

solution2
 0  2014-07-02 17:16:16

Server side methods have access to everything and aren't subject to the allow or deny rules or publish methods

You have to manually check if the user has permissions to do something per method.

Maybe because the serverMethod is being passed the id from the client, so technically it only ends up seeing what the client can see? (since the id is whats passed back up to the server)

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Meteor: Call server-side method by client Is there a server-side session in meteor Accessing Cordova plugins from server-side pages Server-side debugging not working [Meteor 1.2] Server-side triggered toast in Meteor Meteor Server-Side HTTP Request Meteor Iron Router server-side hooks Server-side data submit in Meteor Server-side setInterval/clearInterval with Meteor Server-side data validation in Meteor
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM