Can anybody access the Meteor.users collection?


#1

I am using the accounts-ui package, and after a successful login, I can go to the console and use Meteor.users.find().fetch() and it shows a lost of objects.

The question is, if I deploy this ap, can I still be able to use that command in the console? And If I can, then the whole of Meteor Community can check it out, and hence a security issue.

I will use Subscribe and Publish, so will that restrict the amount of datato only the user who is logged in?


#2

Do you have the autopublish package still included (it is by default)?

You can meteor remove autopublish and everything will no longer be published to everyone by default.


#3

That worked like charm.