Create/render html by authorization

Hi all,

have played with Meteor 0.6.x for two years. I will now back but have a question.

If it’s possible to have a finer granulated authorization working in the templates?

Means if i have an user account with not only roles like ‘USER’ or ‘ADMIN’. More to rights like
’customer_can_add’, ‘customer_can_delete’

Is it possible to secure the creation/rendering i.e. of a button

{{if hasRight(‘customer_can_delete’)}}
< button > delete < /button >
{{endif}}

thanks
Stephan

Template.registerHelper('hasRight', function(role) {
  var userId = Meteor.userId();
  var hasRole = <check role here, for example App.Users.hasRole(userId, role)>
  return hasRole;
});

Great.

This is secure? Means cannot hacked on client side?

Oh? I didnt take your point about security. No it is not secured. I guess it is only for UI. I found there arent any options to make it secured. Only server-side validation for user actions/publications.

The point is, whether or not it’s possible to hack the client to render a button, the action of then clicking on the button must be secured on the server (allow/deny on publications or validation within a method).

What you are looking for is alanning:roles using both the groups and roles

// server/startup.es6
Groups = new Mongo.Collection('groups');
Articles = new Mongo.Collection('articles');

if (Meteor.isServer) {
  Meteor.startup(function () {
    var userId = Accounts.createUser({
      email: 'fake@fake.org',
      password: 'password'
    });

    var groupId = Groups.insert({ name: 'group_name' });

    Roles.addUserToRoles(userId, ['can-edit', 'can-create'], groupId);
  });
}

To secure your data that is viewed, use the publications

// server/publications.es6
Meteor.publish('articles', function (groupId) {
  if (Roles.userIsInRole(this.userId, groupId)) {
    return Articles.find({
      group: groupId
    });
  } else {
    return [];
  }
});

Then to control what people can update or control, use the allow hooks on the collection

// server/allow.es6
Articles.allow({
  insert: function (userId, doc) {
    return Roles.userIsInRole(userId, 'can-write', doc.groupId);
  },
  update: function (userId, doc, fieldNames) {
    // don't allow anyone to change the groupId
    if (_.contains(fieldNames, 'groupId')) {
      return false;
    }
    return Roles.userIsInRole(userId, 'can-edit', doc.groupId);
  }
});

As has been said, the security does not lie in whether or not the user can render the button in the client, as there is nothing you can realistically do to totally prevent that.

Secure your methods and it won’t matter if they have the button, it won’t work. Obviously you will hide the button for users who can’t use it, but if they somehow get it to render it won’t matter.

Ah, Many thanks to all of you.

So i’m coming from the java servlet side where such things like creation of buttons can be full controlled before sending the html code to clients.

So if i understand your answers right for meteor:

  1. secure the DAO method calls. OK
  2. visible/hide a button by using a custom funktion in the template (not secure but does the job in connection with ‘securing DAO methods’)

thanks
Stephan