I noticed a scary thing today while I’m updating my users publishing function, that even when I don’t publish anything from Meteor.users still by default meteor publishes to logged in users all users id’s in the app!
I tried just returning this.ready() and I even tired deleting the whole publication function still the same result!
Is it really that way or am I messing with something else somewhere?
See https://guide.meteor.com/security.html#checklist point number 1. Read https://www.meteor.com/tutorials/blaze/publish-and-subscribe for more…
Also, if you are using a “helper” like meteor toys, etc., then there may be additional data being published.
I dont have autopublish or insecure, I can still access Meteor.users in a production app in the console!
Do you mean you can see all users in the browser console with Meteor.users.find().fetch()?
I take that back, I see only 2 users, myself (when logged in) and some other one which seems to be my bug,
Well, then it means that the second user is being subscribed some how… guess it is time to show us the real code for publication and subscriptions…