Permission incorrectly returning data

darktakua · July 7, 2017, 9:39am

I have a Meteor helper that checks to see if the user has the correct permissions.

cad.js

Template.cad.helpers({
   pageAccess() {
      const user = Meteor.users.findOne({_id: this.userId});
      const user_department = Meteor.users.findOne({_id: this.userId}).profile.department;
      const communications_departments = Settings.findOne({_id: 'settings'}).communications_departments;

      if (user && communications_departments.includes(user_department)) {
         Meteor.subscribe('calls');
         Meteor.subscribe('users');
         Meteor.subscribe('settings');
         return true;
      } else {
         return false;
      }
   },
)};

cad.html

<template name="cad">
   {{#if pageAccess}}
      {{> cad}}
   {{else}}
      No access.
   {{/if}
</template>

For some reason, even though the user has the correct group, the page will not show up correctly.

Similarly, my router won’t correctly return either. The user is in the correct group but it won’t seem to render.

routes.js

Router.route('/communications', function () {
   const user = Meteor.users.findOne({_id: this.userId});
   const user_department = Meteor.users.findOne({_id: this.userId}).profile.department;
   const communications_departments = Settings.findOne({_id: 'settings'}).communications_departments;

   if (user && communications_departments.includes(user_department)) {
     this.render('communications');
   }
}, {
  name: 'communications'
});

jpmoyn · July 7, 2017, 8:13pm

First, put the subscriptions in an onRendered or an onCreated. See the guide for the documentation for this.

Second, you don’t want to have this validation on the client. If I wanted to I could just open up the console and say

Meteor.subscribe('calls');

And I would have access to your permission-sensitive data. You want to validate on the server that the person making the subscription call has permission to do so. So in your publication, wrap your query in your validation if (user && communications_departments.includes(user_department))

You are doing a lot wrong here, I suggest reading through the meteor guide. It is a huge help.

darktakua · July 7, 2017, 10:48pm

On the server, I do have validations when I publish the collections. Also, I honestly do not know why put the subscriptions there, I’ve removed them! Thanks for pointing that out!

However, my biggest problem is that the helper and router are not receiving the right value. The user is in the communications department; however, it seems that it is returning false when I check for it. It doesn’t render the correct if statement in the page nor does it render.