Todo example: how to securely set user id on list collection?


#1

Hi all.

I was studying the todo example and came across the bit where the toggleListPrivacy() function is declared. I failed to find any server side validation on the user id.

Is there a way to override the toggleListPrivacy() function and maybe supply any arbitrary value for the user id thus assigning the list to another user?

How does Meteor make sure that the user id specified on client code is indeed the authenticated user’s id?

Should I not create a Meteor method and call it from the client? something like

Meteor.methods({
  setListAsPrivate : function(userId,listId) {
    Lists.update(list._id, {$set: {userId: Meteor.userId()}});
  }
}

and then on the client side do

Meteor.call('setListAsPrivate ', userId, listId)

If somebody could clarify these that would be great. I’m sure it’s something trivial that I missed.

Thanks a lot.


#2

You should never pass the userId from the client to the server. Anyone can then impersonate any user. The todos app correctly implements a publish for private lists which uses the server instance of the userId.

Meteor.publish('privateLists', function() {
  if (this.userId) {
    return Lists.find({userId: this.userId});
  } else {
    this.ready();
  }
});

The current userId is available on the server within Meteor.publish and Meteor.methods.


#3

Thanks for the reply robfallows.

I don’t quite understand how that publish method relates to this

Lists.update(list._id, {$set: {userId: Meteor.userId()}});

^ this IS on the client side.