Can a user edit the code in a template helper?

I am wanting to display parts of a page depending on the permissions of the logged in user. My template would look something like:

{{#if hasPermissions permission=“SectionA”}}
Section A code…

{{#if hasPermissions permission=“SectionB”}}
Section B code…

My template helper would contain a method called ‘hasPermissions’ which takes as a parameter ‘permission’. The result of the method would be a boolean true/false as to whether the user has permissions.

What I need to know is whether an end user would be able to either edit the hasPermissions code when it is client side or put a break point on and change the result before it is sent back? It is extremely important that users are not able to hack the client side code to allow them to see content they are not allowed to see.

If it is the case that users can edit the code - what is the way to achieve displaying sections of a page based on permissions?

All code on the client can’t potentially be changed or viewed, which makes the most important line of security of your app the endpoints between your client and your server - publications/methods on the server/both

You’re asking wrong question. The right one would be “how can I prevent the client from getting data it shouldn’t have”. And the answer would be “restrict this data in your publication, on the server”. This way you don’t have to worry if the client tries to hack anything, because it won’t have access to restricted data.

Thanks for the reply - I agree with your point about restricting the data in my publications. However, what if I wanted to prevent users going to a particular page based on their permissions?

My current thinking would be very similar to my original example:

{{#if hasPermissions permission=“PageA”}}
Page A content
You do not have permissions to view this page.

I would have the same concerns about hacking the ‘hasPermissions’ template helper method on this example. Is there a secure way to do this?

Yes. Simply don’t put important content on the client side - put it into a publication and publish that only to validated users.

Also, everything which manipulates the collections should go into Meteor method calls to the server (which again only get executed after validation).

This way it doesn’t matter if the user sees a “Update blogtext” button. He may see it but he can’t do anything with it.

In short: Design your application thus that you don’t have to care who sees the layout.

I strongly recommend reading the Meteor Guide, particularly the sections on URLs and Routing, Users and Accounts and Security.

Actually, probably best to read everything :wink: