Safe to store "isAdmin" and other similar info on Meteor user object?

help
1

Currently I’m storing fields such as isAdmin directly on the Meteor user object. But I also have this declared on the server end:

Meteor.users.deny({
  update() {
    return true;
  },
});

I’m assuming this practice is safe? I’ve verified that the user is unable to change this value from the browser console. I could also have other sensitive data stored on the user object and simply not publish it, if I don’t want them to even see certain things.

2

Do you also have insert denied? I could create a new user document with isAdmin set if I knew what I was doing (which is a stretch :wink:).

3

Got that covered. :wink:

  Accounts.config({
    forbidClientAccountCreation: true,
  });
1 Like