Security hole in official Meteor tutorial app


The last page of the tutorial app states “now our app is secure from attackers trying to view or modify someone’s private tasks” however I don’t believe that is the case. If someone is not logged in, task.owner !== Meteor.userId() always evaluates to true, allowing a private task to be deleted by guessing the id.


They need the code from addTask just above:

// Make sure the user is logged in before deleting a task
if (! Meteor.userId()) {
  throw new Meteor.Error("not-authorized");


Looks like a real issue! Please post this as an issue in the simple-todos repo?


Did you one better and submitted a PR