For example: My user profile contains the field isAdmin.
I want to check this field in my publications so that I will be able to know if he is an admin or not.
you’d have to fetch the subscribing user first, and then do all your checks.
Here’s an example:
Meteor.publish('users', function() {
check(this.userId, String); /* this.userId is exposed in publications; this check would see if user's even logged in */
var subscriber = Meteor.users.findOne(this.userId, { fields: { 'profile.isAdmin': 1 } }); /* get only one field for optimization */
if (!subscriber || !subscriber.profile.isAdmin) {
this.ready();
return;
}
return Meteor.users.find({}, {fields: { username: 1, profile: 1, createdAt: 1, role: 1 });
});
For a complete, robust solution, I’d also guard the isAdmin access by using a deep find utility, so you don’t get an error if subscriber.profile isn’t an object.
For a complete, robust solution, I’d also guard the isAdmin access by using a deep find utility, so you don’t get an error if subscriber.profile isn’t an object.
these are publication examples, which means they execute on the server
a user can’t modify the execution in console, unless they actually send an update command to the server
that said, it’s trivial to say you should always remove the insecure package from a project before exposing it to public users, and apply tight restrictions on collection CRUD