Trash the 'users' collection profile field until doc size limit is reached


#1

A malicious user could enter something along the line:

var update = {}
for (i = 0; i < 99999; i++) {
  update["profile.trash"+i] = "fehdskfcfknscfdshiufxmiwfehdskfcfknscfdshiufxmiwfehds";
}
Meteor.users.update(Meteor.userId(), { $set: update })

Couldn’t a user do this until the max doc size is reached? Or is there something like a property limit for an Object field in MongoDB?

Also who want’s to send unnecessary data over the wire when you have a few users who play with the client’s console?


#2

Here is a hackpad about users.profile.


#3

thanks! So for now I’m just going to stick with deny and methods for user input