"Insert data on Method" VS "Insert data on Client + Security"?

theara · June 9, 2017, 4:57am

Could you explain me: Insert on Method VS Insert on Client + Security?
Which one better?
Ex:
1- Method

// Server
export const insertPost = new ValidatedMethod({
    name: 'posts.insert',
    mixins: [CallPromiseMixin],
    validate: null,
    run(doc) {
        if (!this.isSimulation) {
            return Posts.insert(doc);
        }
    }
});
-------------------
// client
 insertPost.callPromise(this.form).then((result) => {
      if (result) {
        // success
      }
}).catch((err) => {
      // error
});

2- Allow insert in client with security package

// Server
Posts.permit('insert').ifLoggedIn().ifHasRole('postInsert').allowInClientCode();
-------
// Client
Posts.insert(this.form, (error, _id) => {
       if (error) {
           // error
      } else {
            // success
     }
});

vigorwebsolutions · June 10, 2017, 2:16am

This has been brought up many times on the forums, most recently here.

I think the general consensus is that you should choose the approach that you have the most confidence in. It is possible to lock down your calls using either approach, and it is possible to have breaches due to sloppy code using either approach.

One pro of using the validated-method approach is that you can easily write mixins that extend auth functionality across your methods quickly. However, I’d think it could be just as easy to write a module and apply that to your allow/deny rules.