I have several collections in my app and at some places I need to display some user info like username, etc. on the client side. To do it I publish the profile field (below). Is it a bad practice publishing user profiles in terms of security and also performance? Do you have any better solutions?
Meteor.publish('users.profile', function usersPublish () {
if (!Meteor.userId()) {
throw new Meteor.Error('unauthorized user');
}
return Meteor.users.find({}, { fields: { profile: 1 } });
});
I wouldn’t say that this is a bad practice as long as you secure it properly. The profile field on the users collection is writable by default and a user could store any kind of arbitrary data on this field that they like. At the very least I would recommend attaching a simple schema to your users collection and specifying fields and types of those fields that can be stored on the profile key.
Personally I prefer segregating the profile to another collection, and my socialize:user-profile package is made specifically for this purpose.
1 Like
Thank you @copleykj for your quick response and also for your effort for developing the package. I am gonna try it!
1 Like