Can anybody access the Meteor.users collection?


I am using the accounts-ui package, and after a successful login, I can go to the console and use Meteor.users.find().fetch() and it shows a lost of objects.

The question is, if I deploy this ap, can I still be able to use that command in the console? And If I can, then the whole of Meteor Community can check it out, and hence a security issue.

I will use Subscribe and Publish, so will that restrict the amount of datato only the user who is logged in?


Do you have the autopublish package still included (it is by default)?

You can meteor remove autopublish and everything will no longer be published to everyone by default.


That worked like charm.