Hello,
I realised my app is quite flawed as i can from my browser console execute commands to access my database, but also make calls to the server.
in the browser console, command like db.find({}).fetch()
will return all entries, with ids.
For example:
db.remove({})
will return
allow-deny.js:505 Uncaught errorClass {isClientSafe: true, error: 403, reason: “Not permitted. Untrusted code may only remove documents by ID.”, details: undefined, message: “Not permitted. Untrusted code may only remove documents by ID. [403]”, …}
but db.remove({_id: 'someid'}
will remove the entry.
Also something like Meteor.call('removeuser', 'someusername')
will also access Accounts and remove the user if the method is implemented. Should i give my methods unique names so i hope nobody can find them?
Please can you give guidelines about how to secure Meteor apps in general?
Thank you