Check for stealth autopublish!

I went to update an old project and discovered all data was published. First idea was “oh shit, I have forgotten to remove the autopublish package”. Unfortunately, that was not the case, autopublish was not there and trying to remove it confirmed it. I checked the other packages and removed all those I found suspect, but it did not help. So I googled myself here:

I saw other had the problems and various solutions. I was helped by a simple meteor reset, but I fear there might be many of you that has applications running with all data exposed without knowing it. Check them! (just do a MyCollection.find().fetch() in the console )

Its not like such things could be done without proper tests.
Though, issue is left non-reproduced. Perhaps they just didn’t follow upgrade guide.

1 Like

Seriously? You think “not following the upgrade guide” is an excuse for this? Note that the it is left “non-reproduced” because it disappeared after a meteor reset

The problem returned for me, all my data is published even if I remove all Meteor.publish() statements. I am a bit at loss how to debug this and surprised that this issue does not gets any attention. I am sure I did not have this problem before the ‘meteor update’ because I remember checking what data was published and available at the client.

autopublish is a “fake” package. All it does is force an entry into the Package global. So, first you should check if Package.autopublish is set on the server.

Also, make sure you aren’t using the development environment in production (I have seen examples of this), along with dev-only packages which may set autopublish (I think maybe Meteor Toys does this).

Package.autopublish is undefined on server, setting to false changes nothing. App is deployed with mup, but I am not sure what you mean by “development environment”.
I have removed all third party packages, one by one.

If you’re using mup, then I don’t think it will be using the development environment (using the meteor command to run your production code).

However, setting Package.autopublish to anything (even false) will enable autopublish, so that may render your package removal tests moot.

I removed the Package.autopublish setting since it did nothing, so that’s not it.