Safe to store "isAdmin" and other similar info on Meteor user object?


#1

Currently I’m storing fields such as isAdmin directly on the Meteor user object. But I also have this declared on the server end:

Meteor.users.deny({
  update() {
    return true;
  },
});

I’m assuming this practice is safe? I’ve verified that the user is unable to change this value from the browser console. I could also have other sensitive data stored on the user object and simply not publish it, if I don’t want them to even see certain things.


#2

Do you also have insert denied? I could create a new user document with isAdmin set if I knew what I was doing (which is a stretch :wink:).


#3

Got that covered. :wink:

  Accounts.config({
    forbidClientAccountCreation: true,
  });