Is it a bad practice publishing Meteor.user.profile?


I have several collections in my app and at some places I need to display some user info like username, etc. on the client side. To do it I publish the profile field (below). Is it a bad practice publishing user profiles in terms of security and also performance? Do you have any better solutions?

Meteor.publish('users.profile', function usersPublish () {
    if (!Meteor.userId()) {
        throw new Meteor.Error('unauthorized user');
    return Meteor.users.find({}, { fields: { profile: 1 } });

I wouldn’t say that this is a bad practice as long as you secure it properly. The profile field on the users collection is writable by default and a user could store any kind of arbitrary data on this field that they like. At the very least I would recommend attaching a simple schema to your users collection and specifying fields and types of those fields that can be stored on the profile key.

Personally I prefer segregating the profile to another collection, and my socialize:user-profile package is made specifically for this purpose.

1 Like

Thank you @copleykj for your quick response and also for your effort for developing the package. I am gonna try it!

1 Like