Right way to check if user has role in meteor?

jsantana · June 7, 2016, 9:36pm

I’m building a CMS and depending on the user role they will be able to edit/update/delete/create different areas but filtered by their role as in, one user with role: 'basic role' can’t delete what the user with role: 'superuser' can.

What I have at the moment is this:

Collection.allow({
  insert: function(userId, collection) {
    return Meteor.users.findOne({_id: userId, profile: {role: 'admin'}});
  },
  update: function(userId, collection, fields, modifier) {
    return Meteor.users.findOne({_id: userId, profile: {role: 'admin'}});
  },
  remove: function(userId, collection) {
    return Meteor.users.findOne({_id: userId, profile: {role: 'admin'}});
  }
});

QUESTION
Is this the right way to validate users roles? Are there better ways? What is the best practices for this?

Thanks!

billiam · June 7, 2016, 10:57pm

Have you considered using permission packages? like alanning:roles

You can also use per-document permission packages. They are both describe in Meteor Guide.

Hope this help.

nlammertyn · June 7, 2016, 11:27pm

I’d also recommend alanning:roles, you’ll probably find good use of the groups feature quite soon.

As an extra bit of guidance, you might want to steer clear from allow/deny functionality and use methods instead (and check the role of the user in the method). Allow/deny is not recommended anymore and might be deprecated in the near future.

jsantana · June 7, 2016, 11:54pm

Why is it not recommended anymore?

nlammertyn · June 8, 2016, 12:38pm

It’s very hard to actually make allow/deny secure and thus it’s a security risk. Some resources that are relevant:

https://www.discovermeteor.com/blog/meteor-methods-client-side-operations/