ok, so as a publish is just a cursor, can I simply publish everything and filter on the client-side subscribe?
You can, but the question is should you?
If the client is rarely going to need half the records, why send it to them in the first place. If theyâre going to use the records on a regular basis then go ahead and send it to the client.
If the results are filtered from the client subscription call, then does it even matter what happens at the publication end, i.e. why not just have no filters on the cursor because it is not sending anything the the browser until it is called from the client side ?
Can you rephrase the question?
I have re-phrased the question.
Publications serve three main purposes:
- Separation of concerns: keeping unrelated data separated.
- Reduction of over-the-wire data: you really donât want all 1000000 documents in your database sent to your client.
- Most importantly - security. I can open a web inspector on your application and look at the content of your collections. The only way you can stop me seeing stuff I shouldnât have access to is to not publish it in the first place.
Errr, the user can see my data on the client? ok, this is news to me - can you provide more info. on this on how to do inspect the data?
A Mongo.Collection is just a cursor, so I can use web inspector to find the names of your collections and then do
YourCollectionName.find().fetch()
in the console. However, on the client, the content of the collection should be managed by a publication.
As rob is saying, whatever you publish to a client is sent to the browser, regardless of whether the client uses it or not.
@tidee open your browser, go to your site, open js console, then do Meteor.collection.findOne(); and you can browse anything published. Proper pub/sub rules and more will do wonders for your Meteor-jitsu, itâs definitely worth taking a week to learn and play with.
Woah! I thought that this was only the case if the Insecure and Autopublish packages were included in my project, but I have tested this and, yes, i can select an entire collection. This is cause for concern as an framework that is touted for being quick and easy to get data to the client could very easily lead to the development of very insecure applications - tainting the frameworks suitability as a whole. Iâm guessing that this isnât an oversight (?) and controlling of data from the publish/subscribe process is paramount. In my application, on one page i need to access an entire collection so that when a user selects a particular option, only those relevant to the option are shown. I donât know what option they are going to set, therefore, I cannot limit the collection to a sub-set before it goes to the browser - any tips?
Hereâs my example:
SERVER:
Items = new Mongo.Collection(âitemsâ);
Meteor.publish(âitemsâ, function() {
return Items.find();
});
CLIENT:
Items = new Mongo.Collection(âitemsâ);
Meteor.subscribe(âbox_itemsâ);
User selects an item from a drop-down list and I need details of this item from the collection - how do I go about this?
@tidee autopublish and insecure do basically the same thing as you manually writing a âpublish allâ for each connection in code. When you disable those two you then have to write your PubSub per needs of the app. This is one of the unique things about Meteor as well as one of itâs most awesome features for using so I definitely recommend spending whatever time needed to get your head around PubSub.
Being quick and easy doesnât negate your obligation to understand how it works. Pub/sub is Meteor 101.
3 Likes