mz103
August 31, 2015, 3:26pm
1
What are the performance differences of methods vs. allow/deny?
When should I use which?
@mz103 , take a look at this topic that I’ve made soem time ago,
Hey,
I’m taking a look at the open sourced apps that Slava posted here, and checking some security things. One of them is the way that people are handling inserts, updates and deletes. I like to use Allow and Deny since it is cleaner to use Collection.insert() on client, for me. But I’m reconsidering that, and I would love to hear your experiences about that, taking security and performance in consideration.
Tks!
They are the same performance wise. The Players.insert
is just a facade for a Meteor.call('players/insert', ...
call. Under the hood it’s all using Meteor methods.
I switched to only using Meteor methods because they offer more flexibility and easier to reason about security logic.
Also here’s an article that goes into more depth: https://www.discovermeteor.com/blog/meteor-methods-client-side-operations/
2 Likes
Steve
August 31, 2015, 4:16pm
4
Another discussion:
how are you using collection2 are you inserting a doc via the client or meteor method It depends. First of all, I make sure I am very thorough with the schema definition. Especially with very extensive custom validations with cross check other fields as well as the current user's role and rights. Then, if the collection does not have complex rules about the conditions which allow/deny its insert/update, I write my access rules using ongoworks:security and do normal insert/update. Ongoworks…