Filter owner data for user access Logged-In (this.userId)

Hello everyone! I’m new here! :slight_smile:
I need help: I’m not able to make selector attribute, work to filter data of a page and apply permits added by users (owner).

Now I show the JS for DataTable using the package (aldeed: tabular - https://atmospherejs.com/aldeed/tabular)

reportpage.html

<template name="reportpage">
    {{> tabular table=TabularTables.Dealers selector=selector class="table table-striped table-bordered table-condensed"}}
</template>

reportpage.js

TabularTables ={};

Meteor.isClient && Template.registerHelper('TabularTables', TabularTables);

TabularTables.Dealers = new Tabular.Table({
  name: "Dealers",
  collection: Dealers,
  autoWidth: false,
  responsive: true,
  columns:[
     {data: "owner", title: "Name"},
     {data: "p_iva", title: "Phone"},
     {data: "p_iva", title: "Phone"},
     {data: "name", title: "Name"},
  ],
    selector: function (userId) {
    if (!!userId) {
      return { owner: userId }
    }
  },
});

How can I fix it? Please help me! :frowning:

The way that this package works, selector needs to be a helper on your template:

Template.reportpage.helpers({
  selector () {
    if (!!Meteor.userId()) {
      return { owner: Meteor.userId() };
    }
  },
});

I will say that using the selector for security can be problematic at times. I don’t use the package currently, but I recall that we only used datatables on pages where we were already locking down access via other means.

Thank you!!! It works perfectly! :slight_smile: but I wanted a clarification about the security you are talking about, how is it problematic?

However, the software is used for internal use, so limited to us, I would still like to know, if it is not disturbing you, what problems might happen.

Thank you very much! :slight_smile:

1 Like

So when you set a selector at the constructor level, then the selector applies to what is returned from the server to the client.

TabularTables.Dealers = new TabularTable({
  selector () {
    if(!!Meteor.userId()) {
      return { owner: Meteor.userId() };
    }
  },
});

When you set a selector at the helper level, then the selector is applied to the client-side documents:

Template.reportpage.helpers({
  selector () {
    if (!!Meteor.userId()) {
      return { owner: Meteor.userId() };
    }
  },
});

We had problems using selectors in the constructor though, as support for dynamic, role-based selectors just wasn’t working for us. Fortunately, where we were using the tables, we could limit the actual page where the tables were being displayed by role, and this wasn’t a problem.

But if you wanted to prevent sensitive docs from hitting the client-side, then you’d need to have your selector in the constructor. We just had issues getting this to work as expected.

Thanks! for explanation! :slight_smile:

In the constructor;

selector: function (userId) {
      return { owner: userId || "not-existing-id"}
}

so you never publish sensitive data to client if not logged in.

1 Like