How to use rubaxa:sortable after removing insecure? (SOLVED)


#1

Hello,

I have carefully picked apart RubaXa’s Sortable example in order to understand the minimum bits and pieces required for using it in my own project, but I have hit a snag: if I do …

meteor remove insecure

… the demo stops working properly. Attempts to modify the list with drag’n drop cause errors like …

insert failed : Access denied

I do not see any dependency on a user being logged in, but even if I do create a user and log in I get “Access denied” in any case.

When I look in the files ./.meteor/local/build/programs/server/packages/rubaxa-sortable.js & ./.meteor/local/build/programs/server/packages/rubaxa-sortable.js , I see that methods are defined on the server side and called from the client – so why is access denied?

I made a separate GitHub repo in order to simplify trying out suggested solutions. It is here : martinhbramwell/rubaxa-meteor-sortable

I would appreciate any suggested ways to get past this obstacle.

I would really appreciate a pull request with the right solution. :slight_smile:

Thanks
Martin


#2

Weird, I’m using Sortable in my application currently, and while I do have some issues (below) it does generally work fine. Can you create a MeteorPad with an example?


#3

As I mentioned, I made an example in GitHub.

Maybe I’m pathetic but I have been utterly unable to use MeteorPad. I see no buttons to save my file changes, so all I ever see is the Leader-board example, unchanged, no matter what I do. I have tried in both Firefox and Chrome, under Ubuntu 14.04, but there is no difference. Is there some sort of secret “Easter Egg” button bar somewhere?

If someone would be willing to give my GitHub repository a try, or explain how to save changes to files in MeteorPad, I’ll be immensely grateful.


#4

Ok, I just saw issue 9 here

https : // github.com/rissem/meteorpad/issues/9


#5

You should still have the Ctrl + S save shortcut.


#6

You’re right !

Usually <ctrl-s> saves the page to the local drive, so I did not think to try it.

Thank you very very much.


#7

Ok, here is my Meteorpad Sortable Meteor Example.

I’ll be so pleased to have my mistake pointed out to me.

Thanks in advance.
Martin


#8

Am I missing something or do you not have any allow / deny rules set? http://docs.meteor.com/#/full/allow

The documentation quite clearly states for Sortable that:

Meteor Mongo collections are updated when items are added, removed or reordered, and the order is persisted.

Well, then you need to allow the client to do that, otherwise it will be, by default, denied. (Unless insecure is installed)

Perhaps have a read of: https://www.discovermeteor.com/blog/meteor-and-security/

Allow and Deny are two server-side callbacks that execute for any insert, update, or remove database operations.

The operation is only permitted to go through if either:

  • At least one allow callback returns true.
  • No deny callback returns true.

This means that if you haven’t written any allow callbacks yet, no database operation will be permitted to go through from the client (assuming of course you’ve already removed the insecure package).


#9

You got it Simon!

If any one needs it, that MeteorPad can stay there as a simple working example of RubaXa Sortable.

Thanks very much!


#10

No problem, glad I could help. :+1: