I have an app that only uses methods to manipulate data, and it uses pub/sub to get data to the client. I am being careful to only send the bare minimum of data to the client - but sometimes it’s hard to tie that down (dynamically publishing individual fields in a publication is somewhat fiddly and requires multiple calls to the database). I have noticed that I can issue Meteor.users.find({}).fetch() in the browser console, and all the data that has been subscribed to is visible right there in the console. I have locked this stuff right down to the bare minimum of what is needed. However, there are other collections (eg Posts) that I am subscribing to whose data comes down to the client. Just typing Posts.find({}).fetch() doesn’t (thankfully) work, but I am afraid that someone with more knowledge of Meteor internals will know how to access the contents of that collection (and others) from the console. Is this a valid concern?
Hi, you can see the content of any collection subscriptions or method results through looking in the Dev tools > Network > websocket > Messages > look for “msg - added - Collection” anyway. Basically all data sent to the client can be inspected easily, so any sensitive data needs to be filtered on the backend. So make sure you only return data for the current user in the method or subscription, or carry out some other validation of the user permissions.
For individual fields, see: https://guide.meteor.com/security.html#fields
@globalise thanks for that. I figured that it would be available somewhere in dev tools since the browser itself can access it somehow, but didn’t know the websocket trick. I am doing as you suggest in terms of field security and pub/sub stuff, but it looks like I am going to have to create a couple of extra publications with more or less fields in them to avoid having some stuff I don’t want published.