Right way to check if user has role in meteor?


I’m building a CMS and depending on the user role they will be able to edit/update/delete/create different areas but filtered by their role as in, one user with role: 'basic role' can’t delete what the user with role: 'superuser' can.

What I have at the moment is this:

  insert: function(userId, collection) {
    return Meteor.users.findOne({_id: userId, profile: {role: 'admin'}});
  update: function(userId, collection, fields, modifier) {
    return Meteor.users.findOne({_id: userId, profile: {role: 'admin'}});
  remove: function(userId, collection) {
    return Meteor.users.findOne({_id: userId, profile: {role: 'admin'}});

Is this the right way to validate users roles? Are there better ways? What is the best practices for this?



Have you considered using permission packages? like alanning:roles

You can also use per-document permission packages. They are both describe in Meteor Guide.

Hope this help.


I’d also recommend alanning:roles, you’ll probably find good use of the groups feature quite soon.

As an extra bit of guidance, you might want to steer clear from allow/deny functionality and use methods instead (and check the role of the user in the method). Allow/deny is not recommended anymore and might be deprecated in the near future.


Why is it not recommended anymore?


It’s very hard to actually make allow/deny secure and thus it’s a security risk. Some resources that are relevant: