Currently I’m storing fields such as isAdmin
directly on the Meteor user object. But I also have this declared on the server end:
Meteor.users.deny({
update() {
return true;
},
});
I’m assuming this practice is safe? I’ve verified that the user is unable to change this value from the browser console. I could also have other sensitive data stored on the user object and simply not publish it, if I don’t want them to even see certain things.