Template.registerHelper('hasRight', function(role) {
var userId = Meteor.userId();
var hasRole = <check role here, for example App.Users.hasRole(userId, role)>
return hasRole;
});
Oh? I didnt take your point about security. No it is not secured. I guess it is only for UI. I found there arent any options to make it secured. Only server-side validation for user actions/publications.
The point is, whether or not it’s possible to hack the client to render a button, the action of then clicking on the button must be secured on the server (allow/deny on publications or validation within a method).
As has been said, the security does not lie in whether or not the user can render the button in the client, as there is nothing you can realistically do to totally prevent that.
Secure your methods and it won’t matter if they have the button, it won’t work. Obviously you will hide the button for users who can’t use it, but if they somehow get it to render it won’t matter.