Meteor.users publication nightmare!


#1

I noticed a scary thing today while I’m updating my users publishing function, that even when I don’t publish anything from Meteor.users still by default meteor publishes to logged in users all users id’s in the app!

I tried just returning this.ready() and I even tired deleting the whole publication function still the same result!

Is it really that way or am I messing with something else somewhere?
Untitled


#2

See https://guide.meteor.com/security.html#checklist point number 1. Read https://www.meteor.com/tutorials/blaze/publish-and-subscribe for more…


#3

Also, if you are using a “helper” like meteor toys, etc., then there may be additional data being published.


#4

I dont have autopublish or insecure, I can still access Meteor.users in a production app in the console!


#5

Do you mean you can see all users in the browser console with Meteor.users.find().fetch()?


#6

I take that back, I see only 2 users, myself (when logged in) and some other one which seems to be my bug,


#7

Well, then it means that the second user is being subscribed some how… guess it is time to show us the real code for publication and subscriptions…