I was googling something related to collection validators today when I stumbled onto this blog post from a month ago:
http://blog.east5th.co/2015/06/29/black-box-meteor-shared-validators/
I tried the test for client access to the allow and deny methods for my primary collection (which are stored in my app’s top-level /lib directory for access on both the client and the server), and just as was predicted in the blog post, the entire source of my allow update validator was printed in the console in Chrome:
Post._validators.update.allow.toString()
: printed the function source to the console
If I understood the author of the post correctly, he’s saying a collection’s allow and deny validators run only on the server, so should they be stored in a directory accessible only from the server?
And, if that’s the case, should all of the code related to a collection be stored in a /server
directory? Are there any other source bits that could be accessed in the console by a malicious individual (potentially)?