[SOLVED] How to remove clientside mongo database actions

ionicisere · June 4, 2020, 6:45pm

Hey all

I’ve been working on my app with meteor and I’ve really been enjoying it so far, but recently I’ve ran into a road block since I decided to only use meteor methods as a way of doing all database calls like a traditional API but I’ve found that the client can still use new meteor.collection to see everything that’s in the collection and my inner security geek is screaming at me saying that’s not a good thing. So I was wondering if it’s possible to remove the new meteor.collection from the clientside to prevent that or if there is another way I can securely make calls to the mongoDB database without it able to be accessed by the client.

rjdavid · June 4, 2020, 6:55pm

Start reading from here

ionicisere · June 4, 2020, 7:03pm

After reading the documentation more deeply I found that removing autopublish seems to prevent the client from seeing the question, I am safe in assuming that this is 100% not accessible to the client after removing autopublish? (Ignoring if I use the Meteor.publish function)

rhywden · June 4, 2020, 7:16pm

Yes. Removing both the insecure and autopublish will prevent clients from seeing or accessing anything you don’t explicitly make available to them.

ionicisere · June 4, 2020, 7:19pm

That’s awesome! Thanks alot @rhywden. Now I can sleep without my brain being concerned about the collection being access from the client