A question about official tutorial

ivoronline · April 26, 2015, 6:33pm

In this last step of tutorial https://www.meteor.com/try/11 code is added that should prevent users from deleting others private tasks

// Inside the deleteTask method
var task = Tasks.findOne(taskId);
if (task.private && task.owner !== Meteor.userId()) {
  // If the task is private, make sure only the owner can delete it
  throw new Meteor.Error("not-authorized");
}

Why is this needed when we have already used publish to make sure users can’t even see others private tasks

// Modify the publish statement
// Only publish tasks that are public or belong to the current user
Meteor.publish("tasks", function () {
  return Tasks.find({
    $or: [
      { private: {$ne: true} },
      { owner: this.userId }
    ]
  });
});

guidouil · April 26, 2015, 7:48pm

Server side method have all the rights on your collections so you have to make sure if someone call’s it with another task _id that does not belong to him. Remember that all you write in you client code can be typed in the browser console

ivoronline · April 26, 2015, 8:24pm

Yeah, I constantly forget that publish and subscribe is only for READING MongoDB but that you can still do whatever you want to edit data,