Generic or specific publications (Best practices help)

So I’ve just stumbled upon a “problem” with my pub/sub model. And I’m wondering what is the best strategy to work around it.

Example: Right now my orders publications takes in the following params order, statuses, history, obviously the first params let me subscribe just to a single order or when passed an Array to multiple orders, the others are not important right now.

But as the app grows I kinda need more granular control over the publication, it’s better to write specific publications, where I specifically determine what gets published or stay more generic.


Meteor.publish('manager.orders.table', function(){

    return orders.find(someSpecificQuery, someSpeficOptions)



Meteor.publish('orders', function(query, options){
    //perform validations - checks

    //perform query validations?

    return orders.find(query, options);


Also what concers me, do i need to perform query validations? Like see if there some “unsafe” operators (NoSQL injection), if so which ones are considered dangerous? I do know, that this way users could get all my orders, but that could be worked around with user roles.

There are some useful tips in the Meteor Guide on security of publications and some pointers on ensuring passed in queries should reduce the data published.

Also a good post on “noSQL injection” at the east5th blog