How can i forbid Roles.addUsersToRoles in client side ex: browser console


#1

Please help me it is a big problem of security

how can i forbid Roles.addUsersToRoles in client side ex: browser console

Thanks


#2

Is this alanning:roles?

From the doc:

As with all Meteor applications, client-side checks are a convenience, rather than a true security implementation since Meteor bundles the same client-side code to all users. Providing the Roles functions client-side also allows for latency compensation during Meteor method calls.

NOTE: Any sensitive data needs to be controlled server-side to prevent unwanted disclosure. To be clear, Meteor sends all templates, client-side javascript, and published data to the client’s browser. This is by design and is a good thing. The following example is just sugar to help improve the user experience for normal users. Those interested in seeing the ‘admin_nav’ template in the example below will still be able to do so by manually reading the bundled client.js file. It won’t be pretty but it is possible. But this is not a problem as long as the actual data is restricted server-side.

In other words, if you have properly secured access on the server, users can try to hack permissions on the client, but the server will overrule and deny access.


#3

in my case any one can affect to his profile an admin role and he can hack the system whats the solution to restrict Roles access


#4

This may also be useful as a good introduction to roles from @themeteorchef:

https://themeteorchef.com/tutorials/using-the-roles-package


#5

This shouldn’t be possible, and if you are finding that it is then my best guess is that you still have the insecure package installed.


#6

untill now i have like this


#7

oth thanks a lot it works now thanks a lot


#8

Thanks for the share, Rob :slight_smile:


#9

Doh! The insecure package - I remove that automatically and it didn’t cross my mind.


#10

I do the same thing… It was the only logical reason I could see though for the user record to be able to be modified from the client like that :slight_smile:


#11

me also XD
it didn’t cross my mind