I have a publish function like this:
Meteor.publish('users.all', function () {
const roles = Roles.getRolesForUser(this.userId);
if (role.includes('administer_users') {
return Meteor.users.find();
}
});
What is the recommended thing to return from this function if my role check (or any other kind of check) fails?
In other words, if the publish function does not want to return a cursor, what should I return? Null? An Error? What format should the error be in? Or should it just fail silently?
Thanks,
Cliff
If you throw an error, it gets carried via DDP and can be shown in the front-end. You might not want to give a potential attacker cues (e.g. authentication has failed). On the other hand you might want to throw the error, so the front-end can suggest to the user to login using the appropriate credentials.
You could also log the unauthorised attempt, and then ready the publication with this.ready() - this is my preferred strategy.
Really, the rules for returning a value from the publication are quite flexible. You can return an empty array, to suggest no data (and then deal with that accordingly in the front-end). In some Meteor packages I see null being returned, and I did that too, which works perfectly well.