Security: ReactiveCountdown


#1

Hello!

I have ReactiveCountdown function on server. On tick is running server calculation function and update my collection objects.

I need to denny updates on client, but i need to allow update to server side!

Client is not loggin.

How I can do it? thanks


#2

Make sure you meteor remove autopublish insecure.

Then, if you ensure your code is only on the server* (no client or shared js), then it cannot be accessed on the client.


* Put code in the server/ folder. If you are using import, put code in the imports/server/ folder.

EDIT: forgot to add insecure to the remove list.


#3

ok,but client can open browser console and run coommand to update collection object! I can`t denny permition to update because i need to update on server side!


#4

Not if it’s not available on the client.


#5

https://www.meteor.com/tutorials/blaze/security-with-methods

meteor remove insecure
(…) after removing this package (…) all client-side database permissions have been revoked