Restricting access to server routes


#1

I have a download route in my MeteorJs app which i want to restrict access to. The route code is as follows

Router.route("/download-data",  function() {
var data = Meteor.users.find({ "profile.user_type": "employee" }).fetch();
var fields = [...fields];

var title = "Employee - Users";

var file = Excel.export(title, fields, data);

var headers = {
  "Content-type": "application/vnd.openxmlformats",
  "Content-Disposition": "attachment; filename=" + title + ".xlsx"
};

 this.response.writeHead(200, headers);
 this.response.end(file, "binary");
 },
 { where: "server" }
);

The route automatically downloads a file. This is currently working but I want to restrict access to the route. I only want admins to be able to download it.

I have created an onBeforeAction Hook as below

Router.onBeforeAction(
  function() {
    //using alanning:roles
    if(Roles.userIsInRole(this.userId, "admin"){
     console.log('message') //testing
   }
  },
  {
    only: ["downloadData"]
  }
);

and renamed my route as below

//code above
this.response.writeHead(200, headers);
 this.response.end(file, "binary");
 },
 { where: "server", name: "downloadData" }
);

The onBeforeAcion hook does not take any effect

Also I noticed neither this.userId nor Meteor.userId works on the route