When the very first publish functions are run in my application, the client already knows its userId but not the server. Therefore I send the userId to the server in the subscribe call but that potentially allows a user to impersonate another
// Client
Template.myTemplate.onCreated(function () {
this.subscribe("test", Meteor.userId())
})
// Server
Meteor.publish("test", userId => {
const uid = this.userId // undefined
// Return data based on userId
})
Putting the client subscribe in an autorun doesn’t make a difference because the client already has his userId therfore the autorun is only called once. Same thing if you add “Meteor.loggingin” as the client has already ended the loggin process.
Template.myTemplate.onCreated(function () {
this.autorun(() => {
const uid = Meteor.userId()
this.subscribe("test", uid)
}
})
It is clearly a timing issue, as subsequent subscribes don’t have that problem.
Is there any way to wait on the server side ?
Also, the documentation makes it sound like this shouldn’t happen
this.userId
ddp-server/livedata_server.js, line 985
Access inside the publish function. The id of the logged-in user, or null if no user is logged in.
This is constant. However, if the logged-in user changes, the publish function is rerun with the new value.