Clarification on where to set meteor.users.allow

Slavrix · December 21, 2016, 12:42am

I want to let my users edit their own profiles, but only their own profiles.
I’ve got this snippet which I’m pretty sure is correct to allow me to set the permissions.

  ownsDocument(userId, doc) {
      return doc && doc.userId === userId;
  };

  Meteor.users.allow({
    update: this.ownsDocument
  });

This is the update that I’m calling which was working until I removed insecure.

     Meteor.users.update(Meteor.userId(), {
       $set: {
         "data": {
           "teams": teams,
           "currentrole": this.profile.getRole(),
           "ffanumber": this.data.ffanumber,
           "userDetail": userDetail,
           "contact1": contact1
         }
       }
     }, () => {
      loading.dismiss();
      this.navCleanup(TopicsPage);
     });

Main issue is where should I place the allow snippet?
I’m using angular2 with ionic2 and meteor

Slavrix · December 21, 2016, 3:19am

Seems that if i set it to profile instead of data it works fine actually.

copleykj · December 21, 2016, 4:24am

By default the users collection allows client side updates to the profile key of each users own user document. This, if you are not aware, is a minor security concern which could allow any user to delete their whole profile, or store a pretty decent amount of arbitrary data in their user document that you don’t expect to be there. I personally recommend setting a deny rule and creating a separate collection to store profiles.

Slavrix · December 21, 2016, 5:03am

Yea that will probably be the way I end up going closer to production.
Thanks.

robertdavid010 · May 24, 2017, 11:51am

I attach schemas to the collection. Should this not prevent at least any user from passing data to the server? Otherwise all they can do is bloat their browser memory…