How can I update others' users accounts as an admin?

#1

When I try to update an user’s account as an admin, I get: update failed: Access denied
This is my code:
function updateUser() {
Meteor.users.update(
{
_id: id,
},
{
$set: {
profile: {
email: user.email,
name: user.name,
surname: user.surname,
role: user.role,
subject: user.subject,
classNumber: user.classNumber,
classIdentity: user.classIdentity,
birthDate: user.birthDate,
},
},
},
);
Meteor.users.allow({
update: updateUser,
});
}

#2

I think you’re a tad confused on how allow/deny works. The allow and deny functions of a collection take a map of functions where the eventual return of those functions should be Boolean in nature. If any allow function returns true, no matter if any other has returned false, the operation is allowed to proceed. The converse is true for deny functions. If any deny function returns true, no matter if any other returned false, the operation is not allowed to proceed. These functions should only do very simple checking, and not have side effects.

Your allow function should look something like this…

import { Meteor } from 'meteor/meteor';

Meteor.users.allow({
  update(userId, doc) {
    const currentUser = Meteor.users.findOne(userId);
    return !!currentUser && currentUser.role === "admin"
  }
});

Style Tip :nail_care:

Wrapping code blocks in triple backticks makes them easier for others to read by displaying them with fixed width fonts, stopping them from wrapping, and adding syntax highlighting.

```
// code here
```

1 Like
#3

It also doesn’t work, @copleykj help me, please

#4

I’d need to see the code to help.

1 Like
#5

This is my code:

import { Meteor } from 'meteor/meteor';
export function updateAccounts(id, user) {
  function updateUser() {
    Meteor.users.update(
      {
        _id: id,
      },
      {
        $set: {
          profile: {
            email: user.email,
            name: user.name,
            surname: user.surname,
            role: user.role,
            subject: user.subject,
            classNumber: user.classNumber,
            classIdentity: user.classIdentity,
            birthDate: user.birthDate,
          },
        },
      },
    );
  }
  Meteor.users.allow({
    update() {
      return true;
    },
  });
  updateUser();
}

#6

Your allow method should be a stand alone piece of code that runs once, on the server before any client side updates are ran.

The code you show will run the allow method each and every time you call the updateAccounts function. If this code is executed on the server, then it wouldn’t make sense to use allow and deny methods and they won’t have any affect, and you would be creating subsequent allow checks on your collection each time this runs. If it is executed on the client then no matter how many times you call the allow check, it won’t have any affect since these checks only run on the server.

1 Like
#7

@copleykj, here is the problem, I want to edit others’ accounts as an admin, but it says update failed: Access denied, now I can edit only my own account, how do you think what will be the solution?