Meteor is auto-publishing all the subscriptions without autopublish

Guys, I just realized that my app is publishing all the publications to the client even without a subscription and the autopublish package. Any idea why this is happening?

I even opened an issue for it :

Can you publish the release version…and other configuration etc…?

Hi, the version of Meteor is I just cloned the app in another machine and tried. In there it didn’t publish all my collections. I was unable to re-produce it. I just reset my project and the auto publishing stopped. After that I re-stored the old database (which I backed up before resetting). Now again it’s publishing everything.

It seems more like a db thing, Im not sure though…but, good that you are able to move forward…

this just happened to me. same symptoms, same behavior w/ dumping and restoring the database.

this is terrifying. what if this were to happen in production? the entire users table is being auto-published to the client even when i’m not logged in.

what we need is to understand WTF is going on, so if it happens in production, we can flip some bit in the database and fix it immediately. obviously, a ‘meteor reset’ is not a viable production fix.

i’d like to get to the bottom of this. today, i was playing around w/ 2 new things. one was this Chrome plugin:

and there was also this REST package:

after resetting meteor, i’ve tried restoring both of the above to see if i could get the autopublish behaviour to repeat. so far, it has not. but i did notice a curious thing with the Chrome plugin…

i have a collection, let’s call it “foo”, which we’re no longer using. before i reset, foo was in the db, and its contents were being auto published to the client, even though there was no subscription requested.

after the reset, foo was wiped from the db. in MeteorToys, it was not present until i re-installed the Chrome plug. suddenly, foo was showing up in MeteorToys in both Chrome and Safari. so i’m curious as to what exactly the Chrome plugin did, and where it wrote its effect (i’m assuming the db) in order for MeteorToys to pick it up in Safari (where, obviously, the Chrome plug is not running).

does anyone know where i can look in mongo to see what it did? maybe that’s the clue to undoing the auto-publish effect, should it happen again.

ok i figured it out.

it has to do with the Chrome plugin. it has a tab called Security. Under there is Collections. For each collection, you can hit a button called “Audit collection”.

if you do that for the collection “MeteorToys.AutoPub”, it adds a collection of that same name to your db. suddenly, autopublish is enabled.

to confirm, i successfully restored my old db, deleted the MeteorToys.AutoPub collection, and everything is back to normal.


Ouch, never heard of this issue before!

To make sure I understand correctly, are users who do not use the Chrome plugin safe from this issue?

i would put it this way: anyone can load up the plugin and point their browser at your Meteor app, head to the Security tab and start testing your packages.

now, MeteorToys is not enabled for production, so they can’t do what i did above to cause the autopublish (thank god). but it’s worth knowing if the packages you’re using are secure or not.

1 Like