Safe to store "isAdmin" and other similar info on Meteor user object?


Currently I’m storing fields such as isAdmin directly on the Meteor user object. But I also have this declared on the server end:

  update() {
    return true;

I’m assuming this practice is safe? I’ve verified that the user is unable to change this value from the browser console. I could also have other sensitive data stored on the user object and simply not publish it, if I don’t want them to even see certain things.


Do you also have insert denied? I could create a new user document with isAdmin set if I knew what I was doing (which is a stretch :wink:).


Got that covered. :wink:

    forbidClientAccountCreation: true,