The last page of the tutorial app Meteor Software - Build with Meteor.js, deploy on Meteor Cloud states “now our app is secure from attackers trying to view or modify someone’s private tasks” however I don’t believe that is the case. If someone is not logged in, task.owner !== Meteor.userId() always evaluates to true, allowing a private task to be deleted by guessing the id.
They need the code from addTask just above:
// Make sure the user is logged in before deleting a task
if (! Meteor.userId()) {
throw new Meteor.Error("not-authorized");
}Looks like a real issue! Please post this as an issue in the simple-todos repo?