Collection Rules : How can you break them?

patrickwml · August 11, 2015, 1:27pm

So I have a quick question about Meteor and a few things that I have run into so far. Lets say we have a Collection called Entries but you don’t want anyone to be able to make any entries except say an Accountant so you can add allow and deny rules to the collection in order for an accountant to add new entries. Now some of these entries can be automated and entered by the system whenever a product is sold lets say so there is no reason to have the accountant add them. Well the thing is that the allow and deny rules say that only an accountant can insert new entries so the insert will be denied. Which obviously isnt a great thing. So now comes to my question. How can we have the security of allowing and blocking certain users from things, but still allow the server to do what you want it to.

Does anyone have any feed back?

robfallows · August 11, 2015, 1:33pm

Allow and deny rules only manage access to the collection from the client. The server always has unrestricted access, so as long as your system process runs on the server, it can do what it wants.

patrickwml · August 11, 2015, 1:39pm

You know i have tried this multiple times and the rules always seem to win… But I just tried it on a new app and it worked kinda odd. Well this changes a lot of things and answers a lot of questions. Thank you @robfallows