Security for collection-helpers


Apologies if there is a concrete answer I missed, but could not find it.

I am confused about the security differences between using Meteor Methods (strictly server side) and Collection Helpers (available on client + server), specifically with dburles:collection-helpers

Let’s say I have a Collection Helper like below, and I have also implemented deny rules for all Tasks, all in a “tasks.js” file, where the Schema is defined.

Tasks.helpers ({
  saveTask: function(taskId, taskText){
    //save task to DB

  insert() { return true; },
  update() { return true; },
  remove() { return true; }

  1. Will the client automatically be able to write that task to the app’s DB?

  2. Or will it write to the local client side minimongo, and then run the server side version (like a method stub vs Meteor.method)?

  3. What about User Permissions, and Validation? Am I correct to assume any validation has to be custom inside the helper – there is nothing like validate() functions for such helpers?


Collection helpers is just a handy way to store functions, all it does is add the helpers to the prototype of the objects returned by fetch(). It doesn’t have any special security features, and calling it on the client will not call it on the server.

Yes you can use simple-schema and other validators inside a helper.


Thanks appreciate the clarification - so any actions on client will remain on client, and any calls on server will actually modify the persistent DB.


No, if you call Collection.insert() or update() on the client, it will attempt to update the server too (standard Meteor behavior, nothing to do with collection-helpers). Depending on the security permissions you’ve set up, it may or may not succeed. And if it fails to update the server, it will revert the changes to the client, because the server and client should always be in sync.


Gotcha thanks, that makes more sense.