Security hole in official Meteor tutorial app


#1

The last page of the tutorial app https://www.meteor.com/try/11 states “now our app is secure from attackers trying to view or modify someone’s private tasks” however I don’t believe that is the case. If someone is not logged in, task.owner !== Meteor.userId() always evaluates to true, allowing a private task to be deleted by guessing the id.


#2

They need the code from addTask just above:

// Make sure the user is logged in before deleting a task
if (! Meteor.userId()) {
  throw new Meteor.Error("not-authorized");
}

#3

Looks like a real issue! Please post this as an issue in the simple-todos repo?


#4

Did you one better and submitted a PR https://github.com/meteor/simple-todos/pull/14