Preventing all Meteor.users from being published to the client, need to publish only specific ones


#1

I’m using the accounts package, which apparently publishes all users to the client automatically. I’m building a system where users are organised into teams, so I’d like to publish only users from the same team, not all of them. Despite all my efforts, all users from all teams are still accessible on the client side, is there a way to prevent that?

This is how I’d like to publish users:

if (Meteor.isServer) {
  Meteor.publish("team_users", function (team_id) {
    return Meteor.users.find({team_id:team_id});
  }
}

And this is how I subscribe on the router:

this.wait(Meteor.subscribe('team_users', Session.get('team_id')));

#2

If you don’t add the autopublish package, users are not published (except the current one).


#3

Thanks Steve. I’m not using the autopublish package. Doesn’t the accounts package automatically publish all users (even if only the profile object is exposed)? Trying to figure out if I’m publishing it elsewhere, though I’ve looked everywhere.


#4

AFAIK, users are not published automatically. See here:

Like all Mongo.Collections, you can access all documents on the server, but only those specifically published by the server are available on the client.

By default, the current user’s username, emails and profile are published to the client. You can publish additional fields for the current user with: […]

If the autopublish package is installed, information about all users on the system is published to all clients.

Why do you believe all users have been published, how do you check?


#5

use a publication on users like

Meteor.publish("userData", function () {
  if (this.userId) {
    return Meteor.users.find({role: 'my-admin},
                             {fields: {'other': 1, 'things': 1}});
  } else {
    this.ready();
  }
});

the call Meteor.subscribe('userData')

Meteor.users will now the current user + all the users that met the query

*this is an adapted example from http://docs.meteor.com/#/full/meteor_users


#6

Here’s how I check: while debugging I use Mongol, which allows me to visualise the documents that are available on the client side. In production I just run Meteor.users.find().fetch() on the browser’s console.


#7

Thanks garrilla. That publishes the extra fields for users that meet the query, but it still publishes the profile object for all other users, even if the user is not logged in.


#8

And when running meteor list, autopublish doesn’t show up?


#9

It doesn’t. I find it very strange, but after searching for many hours I’m starting to believe there’s no way of publishing some users while keeping other unpublished. The closest I found is what @garrilla said, which allows you to publish some fields for some users while keeping only the profile object visible for the rest. But that still exposes the total number of users and the profile fields.


#10

You must have another Publication on the the users collections.

If there is no publication only the currentUser is attached to Meteor.users.


#11

We all do this, without any problem.

If you can reproduce your problem on a small sample code, then this is a terrible bug and you should file a Meteor issue.


#12

SOLVED: you’re both right @Steve and @garrilla. There was another publication in a different place. I started building this on top of an existing app and thought I had cleaned it all up. My bad, thanks guys!