I would like to prevent any leak of userIds other than the current user id.
I have 2 types of actors: users and groups (along with the related group admins). While groups ids are (mostly) public, a group admin user id should not.
The type of interactions I use in my website are :
- user to user
- user to group
- group admin to user
- group admin to group admin
My plan was to make a “Requests” collection where I store every information about the 2 ends of an interaction. A complete request document would look like this:
{
'type':1, // type of the request
'from':Meteor.userId(), // emitter (could be group Id)
'from_name': name // emitter name
'from_picture': picture // emitter picture
'from_placeholder': phr //emitter picture dataUrl placeholder
'to':id, //recipient
'to_name':toname //recipient name
'to_picture': to_pic //recipient picture
'to_placehodler': to_phr //recipient pic placeholder
'created_by':author //request creator (must be userId)
//same than above with name, pic and placeholder
'created_at': new Date(),
'answered_by':john //request answerer (must be userId)
//same than above with name, pic and placeholder + date
'status':0 //request status
}
// note that the sole id field published is the request _id
As you ca see, I denormalize a lot to avoid to allow direct queries in the user collection.
Every user subscribe to his request publication, and get every request related to him (from or to).
Ideally, I would like to be able to include the user info matching the request emitter/receiver/answerer without having to store them into the request itself.
However, the issue is that I don’t want to use Cursor.Observe() for its scalability and resource issues (same goes for every package based on this, i.e. publish composite related)
Is there a way to achieve this, or a data architecture meeting my needs? I assume that preventing user Id leaks is not an uncommon concern, but don’t know how others do it.