The Guide recommends this code:
// Deny all client-side updates on the Lists collection
Lists.deny({
insert() { return true; },
update() { return true; },
remove() { return true; },
});
Do you still need that code if you have removed the Insecure package?
It says right above the code snippet:
This will make sure no other part of your app can use allow:
But doesn’t removing insecure force the use of methods and stop client-side updates? In which case why do you need the deny too?
e.g. the tutorial docs say:
Every newly created Meteor project has the insecure package added by default. This is the package that allows us to edit the database from the client. It’s useful when prototyping, but now we are taking off the training wheels. To remove this package, go to your app directory and run:
meteor remove insecure
If you try to use the app after removing this package, you will notice that none of the inputs or buttons work anymore. This is because all client-side database permissions have been revoked. Now we need to rewrite some parts of our app to use methods.
Ah OK, maybe I’ve clicked, so calling allow elsewhere in the code would turn permissions back on. But if you have said deny then allow has no effect?
EDIT: Does deny also then force server-side code to use methods to update the database too?
Server code is automatically trusted, so allow/deny has no effect.
Hopefully eventually we can just remove allow and deny altogether into a separate package, so that you can just meteor remove allow-deny. Then it will be a lot less confusing.