Do you need Deny methods if you have removed Insecure?

tomRedox · March 10, 2016, 6:34pm

The Guide recommends this code:

// Deny all client-side updates on the Lists collection
Lists.deny({
  insert() { return true; },
  update() { return true; },
  remove() { return true; },
});

Do you still need that code if you have removed the Insecure package?

sashko · March 10, 2016, 6:36pm

It says right above the code snippet:

This will make sure no other part of your app can use allow:

tomRedox · March 10, 2016, 6:40pm

But doesn’t removing insecure force the use of methods and stop client-side updates? In which case why do you need the deny too?

e.g. the tutorial docs say:

Every newly created Meteor project has the insecure package added by default. This is the package that allows us to edit the database from the client. It’s useful when prototyping, but now we are taking off the training wheels. To remove this package, go to your app directory and run:

meteor remove insecure
If you try to use the app after removing this package, you will notice that none of the inputs or buttons work anymore. This is because all client-side database permissions have been revoked. Now we need to rewrite some parts of our app to use methods.

tomRedox · March 10, 2016, 6:42pm

Ah OK, maybe I’ve clicked, so calling allow elsewhere in the code would turn permissions back on. But if you have said deny then allow has no effect?

EDIT: Does deny also then force server-side code to use methods to update the database too?

hwillson · March 10, 2016, 7:00pm

Server code is automatically trusted, so allow/deny has no effect.

sashko · March 10, 2016, 8:52pm

Hopefully eventually we can just remove allow and deny altogether into a separate package, so that you can just meteor remove allow-deny. Then it will be a lot less confusing.