Guys, I just realized that my app is publishing all the publications to the client even without a subscription and the autopublish package. Any idea why this is happening?
I even opened an issue for it : https://github.com/meteor/meteor/issues/7759
Can you publish the release versionā¦and other configuration etcā¦?
Hi, the version of Meteor is 1.4.1.1. I just cloned the app in another machine and tried. In there it didnāt publish all my collections. I was unable to re-produce it. I just reset my project and the auto publishing stopped. After that I re-stored the old database (which I backed up before resetting). Now again itās publishing everything.
It seems more like a db thing, Im not sure thoughā¦but, good that you are able to move forwardā¦
this just happened to me. same symptoms, same behavior w/ dumping and restoring the database.
this is terrifying. what if this were to happen in production? the entire users table is being auto-published to the client even when iām not logged in.
what we need is to understand WTF is going on, so if it happens in production, we can flip some bit in the database and fix it immediately. obviously, a āmeteor resetā is not a viable production fix.
iād like to get to the bottom of this. today, i was playing around w/ 2 new things. one was this Chrome plugin:
and there was also this REST package:
https://atmospherejs.com/simple/rest
after resetting meteor, iāve tried restoring both of the above to see if i could get the autopublish behaviour to repeat. so far, it has not. but i did notice a curious thing with the Chrome pluginā¦
i have a collection, letās call it āfooā, which weāre no longer using. before i reset, foo was in the db, and its contents were being auto published to the client, even though there was no subscription requested.
after the reset, foo was wiped from the db. in MeteorToys, it was not present until i re-installed the Chrome plug. suddenly, foo was showing up in MeteorToys in both Chrome and Safari. so iām curious as to what exactly the Chrome plugin did, and where it wrote its effect (iām assuming the db) in order for MeteorToys to pick it up in Safari (where, obviously, the Chrome plug is not running).
does anyone know where i can look in mongo to see what it did? maybe thatās the clue to undoing the auto-publish effect, should it happen again.
ok i figured it out.
it has to do with the Chrome plugin. it has a tab called Security. Under there is Collections. For each collection, you can hit a button called āAudit collectionā.
if you do that for the collection āMeteorToys.AutoPubā, it adds a collection of that same name to your db. suddenly, autopublish is enabled.
to confirm, i successfully restored my old db, deleted the MeteorToys.AutoPub collection, and everything is back to normal.
hurray.
Ouch, never heard of this issue before!
To make sure I understand correctly, are users who do not use the Chrome plugin safe from this issue?
i would put it this way: anyone can load up the plugin and point their browser at your Meteor app, head to the Security tab and start testing your packages.
now, MeteorToys is not enabled for production, so they canāt do what i did above to cause the autopublish (thank god). but itās worth knowing if the packages youāre using are secure or not.
1 Like