Check if a project exists and the user can have access to it

hilty · April 16, 2017, 10:55pm

Hi guys,

I have the following code in my meteor app:

<template name="edit">
	{{#if projectExists projectId}}
		{{#if isAllowed projectId}}
			{{> ide_modals}}
			{{> ide}}
		{{else}}
			{{> not_allowed}}
		{{/if}}
	{{else}}
		{{> error_page}}
	{{/if}}
</template>

But always when I access the page, the “error_page” template show first and after the right page is displayed.

How I can check if a project exists and if a user is allowed to access it in the right way?

Thanks for all,
Cheers,

asad · April 16, 2017, 11:09pm

This could be called something akin to flash of unstyled content. It happens because the template runs before your subscription data is available. I also looking forward to what approaches are commonly used in the community to handle this.

robfallows · April 19, 2017, 9:01am

The canonical way of handling this in Blaze is by using {{#if Template.subscriptionsReady}} in your template. In @hilty’s example, this would be:

<template name="edit">
  {{#if Template.subscriptionsReady}}
    {{#if projectExists projectId}}
      {{#if isAllowed projectId}}
        {{> ide_modals}}
        {{> ide}}
      {{else}}
        {{> not_allowed}}
      {{/if}}
    {{else}}
      {{> error_page}}
    {{/if}}
  {{/if}}
</template>

This approach is predicated on the use of template level subscriptions.

hilty · April 19, 2017, 7:25pm

Thanks @robfallows! =)

I did the changes that you recommend in my page and in the code I added this:

Template.edit.onCreated(function(){
	var self = this;
	self.subscribe("current-project", Router.current().params._id);
});

One more question about it…

Before I was doing the “is Allowed” check this way:

	isAllowed: function(id){
		Meteor.call("isAllowed", id, function(err,res){
			Session.set("isAllowed", res);
		});

		return Session.get("isAllowed");
	}

But because of the Meteor.call delay I was still having the problem of “not_allowed” showing. To avoid it now I’m doing the check this way:

	isAllowed: function(id){
		var user = Meteor.userId();
		var owner = Projects.findOne().owner;
		return user === owner;
	}

My question is: This is the best way to make this check? For me this sounds a little insecure.

robfallows · April 20, 2017, 9:44am

Neither of those approaches is secure. In the first example, I can set the Session variable through my browser’s web inspector and override your value.

The only secure way to do this is to do the verification on the server and only ever return documents belonging to the user. Methods and publications have access to the user id of the connecting client and this cannot be manipulated externally.