Preventing all Meteor.users from being published to the client, need to publish only specific ones

guillermolandin · October 16, 2015, 12:52pm

I’m using the accounts package, which apparently publishes all users to the client automatically. I’m building a system where users are organised into teams, so I’d like to publish only users from the same team, not all of them. Despite all my efforts, all users from all teams are still accessible on the client side, is there a way to prevent that?

This is how I’d like to publish users:

if (Meteor.isServer) {
  Meteor.publish("team_users", function (team_id) {
    return Meteor.users.find({team_id:team_id});
  }
}

And this is how I subscribe on the router:

this.wait(Meteor.subscribe('team_users', Session.get('team_id')));

Steve · October 16, 2015, 12:54pm

If you don’t add the autopublish package, users are not published (except the current one).

guillermolandin · October 16, 2015, 1:01pm

Thanks Steve. I’m not using the autopublish package. Doesn’t the accounts package automatically publish all users (even if only the profile object is exposed)? Trying to figure out if I’m publishing it elsewhere, though I’ve looked everywhere.

Steve · October 16, 2015, 1:06pm

AFAIK, users are not published automatically. See here:

Like all Mongo.Collections, you can access all documents on the server, but only those specifically published by the server are available on the client.

By default, the current user’s username, emails and profile are published to the client. You can publish additional fields for the current user with: […]

If the autopublish package is installed, information about all users on the system is published to all clients.

Why do you believe all users have been published, how do you check?

garrilla · October 16, 2015, 1:41pm

use a publication on users like

Meteor.publish("userData", function () {
  if (this.userId) {
    return Meteor.users.find({role: 'my-admin},
                             {fields: {'other': 1, 'things': 1}});
  } else {
    this.ready();
  }
});

the call Meteor.subscribe('userData')

Meteor.users will now the current user + all the users that met the query

*this is an adapted example from http://docs.meteor.com/#/full/meteor_users

guillermolandin · October 16, 2015, 2:09pm

Here’s how I check: while debugging I use Mongol, which allows me to visualise the documents that are available on the client side. In production I just run Meteor.users.find().fetch() on the browser’s console.

guillermolandin · October 16, 2015, 2:27pm

Thanks garrilla. That publishes the extra fields for users that meet the query, but it still publishes the profile object for all other users, even if the user is not logged in.

Steve · October 16, 2015, 3:20pm

And when running meteor list, autopublish doesn’t show up?

guillermolandin · October 16, 2015, 3:47pm

It doesn’t. I find it very strange, but after searching for many hours I’m starting to believe there’s no way of publishing some users while keeping other unpublished. The closest I found is what @garrilla said, which allows you to publish some fields for some users while keeping only the profile object visible for the rest. But that still exposes the total number of users and the profile fields.

garrilla · October 16, 2015, 3:58pm

You must have another Publication on the the users collections.

If there is no publication only the currentUser is attached to Meteor.users.

Steve · October 16, 2015, 4:20pm

We all do this, without any problem.

If you can reproduce your problem on a small sample code, then this is a terrible bug and you should file a Meteor issue.

guillermolandin · October 17, 2015, 10:33am

SOLVED: you’re both right @Steve and @garrilla. There was another publication in a different place. I started building this on top of an existing app and thought I had cleaned it all up. My bad, thanks guys!