Add roles when create user

youyou · June 3, 2016, 10:27am

import { Meteor } from ‘meteor/meteor’;
import { Accounts } from ‘meteor/accounts-base’;
import { CONST } from ‘…/…/common/constants.js’;
import { Roles } from ‘meteor/alanning:roles’;

Meteor.methods({
updateUserProfile: (newProfile) => {
const userId = Meteor.userId();
// var isEmailChanged = currentProfile ?
// newProfile.email != currentProfile.email :

Meteor.users.update(userId, {
  $set: {
    profile: newProfile,
  },
}, {
  validationContext: 'updateUserProfile',
});

},

createDriver: (newUser) => {
var id =Accounts.createUser({
username: newUser.username,
email: newUser.email,
password: newUser.password,
profile: newUser.profile,
//roles: CONST.USER_ROLES.DRIVER,
});
//console.log(Meteor.userId());
Roles.addUsersToRoles(Accounts.userId(), ‘Driver’);
},
});

driverjoin.js

Template.driverJoin.events({
‘submit #form’: function driverJoinSubmitForm(event) {
// Prevent default browser form submit
event.preventDefault();

const data = {
  username: event.target.email.value,
  email: event.target.email.value,
  password: event.target.password.value,
  profile: {
    lastName: event.target.lastname.value,
    firstName: event.target.firstname.value,
    phone: event.target.phone.value,
    // email: event.target.email.value,
    birthday: moment(event.target.birthday.value, CONST.DEFAULT_DATETIME_FORMAT).toDate(),
    creditCard: {
      num: event.target.num.value,
      validThruM: event.target.validThruM.value,
      validThruY: event.target.validThruY.value,
      cvv: event.target.cvv.value,
      name: event.target.name.value,
    },
  },
};

// TODO: Add validation

Meteor.call('createDriver', data, (error) => {
  if (error) {
    Session.set(SESSION.ERROR, error);
  } else {
    FlowRouter.go('/s/driver/vehicles');  // TODO : replace with redirection by root name
  }
});
return false;

},
});

danjimgar · June 3, 2016, 12:27pm

In my example:

CLIENT

Meteor.call('addUserRoleFreeNutritionist', Meteor.userId());

SERVER

Meteor.methods({
    //@Method añade el rol 'free' y el grupo 'nutricionista' al usuario pasado por id
    addUserRoleFreeNutritionist: function (id) {
        check(id, String);
        Roles.addUsersToRoles(id, 'free', 'nutricionist');
    },
});

Thats all

jamgold · June 3, 2016, 6:44pm

That would be a security concern, because ANY user could add ANY other user to the role.

You should modify this to

CLIENT

Meteor.call('addUserRoleFreeNutritionist');

SERVER

Meteor.methods({
    //@Method añade el rol 'free' y el grupo 'nutricionista' al usuario pasado por id
    addUserRoleFreeNutritionist: function () {
        if(!this.userId) throw new Meteor.Error('403','Access Denied','You must be logged in');
        Roles.addUsersToRoles(this.userId, 'free', 'nutricionist');
    },
});

youyou · June 4, 2016, 7:51am

i get the error 403’,‘Access Denied’,'You must be logged in

satya · June 4, 2016, 9:10am

Use the Alanning Roles package and the onCreateUser hook, like this:

Accounts.onCreateUser (options, user) ->
  user.roles = ['admin']
  return user

you can then check anywhere in your code whether the user is an admin, like this:

Roles.userIsInRole(Meteor.user(), ['admin'])

A much more secure and foolproof solution.