Publish everything?


ok, so as a publish is just a cursor, can I simply publish everything and filter on the client-side subscribe?


You can, but the question is should you?
If the client is rarely going to need half the records, why send it to them in the first place. If they’re going to use the records on a regular basis then go ahead and send it to the client.


If the results are filtered from the client subscription call, then does it even matter what happens at the publication end, i.e. why not just have no filters on the cursor because it is not sending anything the the browser until it is called from the client side ?


Can you rephrase the question?


I have re-phrased the question.


Publications serve three main purposes:

  1. Separation of concerns: keeping unrelated data separated.
  2. Reduction of over-the-wire data: you really don’t want all 1000000 documents in your database sent to your client.
  3. Most importantly - security. I can open a web inspector on your application and look at the content of your collections. The only way you can stop me seeing stuff I shouldn’t have access to is to not publish it in the first place.


Errr, the user can see my data on the client? ok, this is news to me - can you provide more info. on this on how to do inspect the data?


A Mongo.Collection is just a cursor, so I can use web inspector to find the names of your collections and then do


in the console. However, on the client, the content of the collection should be managed by a publication.


As rob is saying, whatever you publish to a client is sent to the browser, regardless of whether the client uses it or not.


@tidee open your browser, go to your site, open js console, then do Meteor.collection.findOne(); and you can browse anything published. Proper pub/sub rules and more will do wonders for your Meteor-jitsu, it’s definitely worth taking a week to learn and play with.


Woah! I thought that this was only the case if the Insecure and Autopublish packages were included in my project, but I have tested this and, yes, i can select an entire collection. This is cause for concern as an framework that is touted for being quick and easy to get data to the client could very easily lead to the development of very insecure applications - tainting the frameworks suitability as a whole. I’m guessing that this isn’t an oversight (?) and controlling of data from the publish/subscribe process is paramount. In my application, on one page i need to access an entire collection so that when a user selects a particular option, only those relevant to the option are shown. I don’t know what option they are going to set, therefore, I cannot limit the collection to a sub-set before it goes to the browser - any tips?

Here’s my example:


Items = new Mongo.Collection(“items”);
Meteor.publish(‘items’, function() {
return Items.find();


Items = new Mongo.Collection(“items”);

User selects an item from a drop-down list and I need details of this item from the collection - how do I go about this?


@tidee autopublish and insecure do basically the same thing as you manually writing a “publish all” for each connection in code. When you disable those two you then have to write your PubSub per needs of the app. This is one of the unique things about Meteor as well as one of it’s most awesome features for using so I definitely recommend spending whatever time needed to get your head around PubSub.


Being quick and easy doesn’t negate your obligation to understand how it works. Pub/sub is Meteor 101.