Convenient way for Security with methods


#1

In Meteor tutorial I saw that I have to do “Security with methods”. Do I have to do that when I have done PuSu (as I think you call it), per userId from the server? Is there a more convenient way of doing it as I have several Collections?

I have a hard time wrapping my head around this issue but is publishing projects as this by userId not safe?

Meteor.publish('projects', function(){
  return Projects.find({userId:this.userId});
});

Can anyone run this in the console on the server to remove all projects for all users?

Projects.find({}).forEach(function (doc) {
   Projects.remove({_id: doc._id});
});

If so, what’s the difference with this https://www.discovermeteor.com/blog/meteor-and-security/ ?


#2

Well yes, if they have the rights to do it. Remove the insecure package and it’s okay


#3

For your remove to run on the client, you’d need an explicit allow rule for that to work. On the server, it would work out of the box.


#4

The server is only I as a creator of the app that has access to, right?


#5

Yes, I recommend you to read this too to know more about Meteor.methods http://meteortips.com/first-meteor-tutorial/methods/