Please help me it is a big problem of security
how can i forbid Roles.addUsersToRoles in client side ex: browser console
Thanks
Is this alanning:roles?
From the doc:
As with all Meteor applications, client-side checks are a convenience, rather than a true security implementation since Meteor bundles the same client-side code to all users. Providing the Roles functions client-side also allows for latency compensation during Meteor method calls.
NOTE: Any sensitive data needs to be controlled server-side to prevent unwanted disclosure. To be clear, Meteor sends all templates, client-side javascript, and published data to the client’s browser. This is by design and is a good thing. The following example is just sugar to help improve the user experience for normal users. Those interested in seeing the ‘admin_nav’ template in the example below will still be able to do so by manually reading the bundled client.js file. It won’t be pretty but it is possible. But this is not a problem as long as the actual data is restricted server-side.
In other words, if you have properly secured access on the server, users can try to hack permissions on the client, but the server will overrule and deny access.
1 Like
in my case any one can affect to his profile an admin role and he can hack the system whats the solution to restrict Roles access
This shouldn’t be possible, and if you are finding that it is then my best guess is that you still have the insecure package installed.
1 Like
oth thanks a lot it works now thanks a lot
1 Like
Thanks for the share, Rob 
1 Like
Doh! The insecure package - I remove that automatically and it didn’t cross my mind.
1 Like
I do the same thing… It was the only logical reason I could see though for the user record to be able to be modified from the client like that
2 Likes
me also XD
it didn’t cross my mind