Doubt about security and perfomance


#1

My app allows picture uploads to users. You can make a picture private or not. Private will mean (not ready yet) only your followers would see the picture.

The user object (so far we’ve got user and picture collections) has a field called following which contents just IDs about other user following us. These users following us should be ables to see our private pictures.

This is my publish.js in pictures collection:

const selector = {
      $or: [{
        // the public food
        $and: [{
          private: false
        }]
      }, {
        // when logged user is the owner
        $and: [{
          owner: this.userId
        }, {
          owner: {
            $exists: true
          }
        }]
      }]
    };

So now I’m publishing pictures no privates and both types of pictures for current user (our privates and the rest).

How could I add this new option?:
“Show me private pictures of the users that I’m following”

Thanks in advance!


#2

Pictures.find({owner:{$in:arrayOfUserIdsIAmFollowing}, private:true})

You can obtain arrayOfUserIdsIAmFollowing by accessing the current user’s document. You can invalidate the subscription/method that returns the cursor when you add/remove your own followers. You can pass the array as an argument to the subscription, in a reactive computation on the client, so the subscription will be rerun when the array changes, and only changed data will be sent back down to the user.


#3

Thanks for your answer and sorry for the delay.

How can I access to user.following array? This is a property in User collection and we are publishing content in Pictures:

Meteor.publish('pictures', function(options, searchString) { const selector = { ...

The only thing I can access from here is the user id.

I don’t know if I’m missing something maybe


#4

The most obvious way to do this would be to simply query for the array in the publish function. Another thing you could do is send the array as an argument to the publish function from the client via a reactive subscription. Of course, there would be security issues with that, but tbh, allowing a user to see private posts by simply following someone is a security issue in and of itself.


#5

Ok, I got it now now.

I also have read a bit more about publish and subscription here:
https://www.discovermeteor.com/blog/understanding-meteor-publications-and-subscriptions/
and I could understand what you wanted to mean with $in:arrayOfUserIdsIAmFollowing in publish function (sorry but I’m so noob with this).

So yes, I’m sending user.following in the subscribe function and I added your query to my selector const.
And now when I click “Follow” I can see the private pictures of that user.

But I don’t know what you mean with this:

there would be security issues with that, but tbh, allowing a user to see private posts by simply following someone is a security issue in and of itself.

Maybe you said it is not secure because the owner doesn’t have control at all of this but the private pictures in my app is just a way to earn more followers, there is not relevant content (there are pictures of food with recipes).

Thanks, was exactly what I was looking for!


#6

Well, the main thing is that if you let a user send the array themselves, then they can mutate the array and see pictures of users that they aren’t following. To counter this, you could check if the array matches their user document array, but in that case, you might as well source the array from a query in the publish function.

Yeah, your use case seems to have a more lax security requirement so it should be fine! But, for example, if users had private/personal content that only their friends could see, you might want to only show that content to people that they follow, or else anyone can follow them and see their personal content. I think your use case doesn’t require that security, IIUC.


#7

Fair enough.

Yes, maybe not for this case but is quite important to have it on mid for further changes/features.

Thanks!