I went to update an old project and discovered all data was published. First idea was “oh shit, I have forgotten to remove the autopublish package”. Unfortunately, that was not the case, autopublish was not there and trying to remove it confirmed it. I checked the other packages and removed all those I found suspect, but it did not help. So I googled myself here:
I saw other had the problems and various solutions. I was helped by a simple meteor reset, but I fear there might be many of you that has applications running with all data exposed without knowing it. Check them! (just do a MyCollection.find().fetch() in the console )
The problem returned for me, all my data is published even if I remove all Meteor.publish() statements. I am a bit at loss how to debug this and surprised that this issue does not gets any attention. I am sure I did not have this problem before the ‘meteor update’ because I remember checking what data was published and available at the client.
Package.autopublish is undefined on server, setting to false changes nothing. App is deployed with mup, but I am not sure what you mean by “development environment”.
I have removed all third party packages, one by one.