I went to update an old project and discovered all data was published. First idea was “oh shit, I have forgotten to remove the autopublish package”. Unfortunately, that was not the case, autopublish was not there and trying to remove it confirmed it. I checked the other packages and removed all those I found suspect, but it did not help. So I googled myself here:
I saw other had the problems and various solutions. I was helped by a simple meteor reset, but I fear there might be many of you that has applications running with all data exposed without knowing it. Check them! (just do a MyCollection.find().fetch() in the console )
Seriously? You think “not following the upgrade guide” is an excuse for this? Note that the it is left “non-reproduced” because it disappeared after a meteor reset
The problem returned for me, all my data is published even if I remove all Meteor.publish() statements. I am a bit at loss how to debug this and surprised that this issue does not gets any attention. I am sure I did not have this problem before the ‘meteor update’ because I remember checking what data was published and available at the client.
autopublish is a “fake” package. All it does is force an entry into the Package global. So, first you should check if Package.autopublish is set on the server.
Also, make sure you aren’t using the development environment in production (I have seen examples of this), along with dev-only packages which may set autopublish (I think maybe Meteor Toys does this).
Package.autopublish is undefined on server, setting to false changes nothing. App is deployed with mup, but I am not sure what you mean by “development environment”.
I have removed all third party packages, one by one.