Any security issue with putting isAdmin bool on Meteor user document?


Is there any potential security issue with storing an isAdmin value on the user document? E.g. Meteor.user().isAdmin. I’ve already disabled client-side updates to Meteor.users.


I’ve started using a combination, as (I think like you), there’s a bit of trepidation about storing that prop right on the user doc.

For displaying admin-only ui elements and non-sensitive stuff, I check a property that is attached to the user doc – isAdmin, which is a boolean.

For making admin-only updates to docs, or when an admin is trying to view more sensitive data, I also check the userId versus an array of adminIds that is stored in a settings collection for the app. The only way to add/remove ids from this array is to be in the array, and I’ll usually just pop into mongo and add myself to get the ball rolling when I spin up the database.

I’d be interested in seeing what others are doing, though.


I have an authorization object that I place on the users document. This includes a lot of information about the users state and what they are authorized to use. I view it mostly as a cache of this state so there is simple access when verifying user authorization. I store the primary data in other sources, after those sources are updated I update the user authorization cache on the user document. This information is rarely changed so it is nearly static on the user document.

Mostly, this information is checked inside publish functions and methods.

For most users this information never makes it to the client, so I view it as being secure. For admins that need to change this data I do send it down to the client for each user the admin can manage.

Of course, I always check this.userId inside publish and method functions to determine who the user is on the client and never depend on any client side data.

I would like to hear any gotchas with this technique…


What about alanning:roles?


Overkill for what I need, and doesn’t really fit the way my data is structured.


To answer your question: if no one can update the boolean when they shouldn’t be able to, it’s perfectly safe.