I checked my app’s security in the bakery’s Security tab and it showed this:
Is this due to the profile field? Or should I do something about it?
I do not use deny/allow at all in my apps. Updating data is only done through methods.
Yes, this is very likely the profile key being client writable. It’s an easy fix.
There is nothing wrong with allow/deny rules. There was a big stink about them being hard to reason about but it’s just not true if you use other tools such as simple-schema along side allow/deny. This makes it easier to reason about and less error prone. Bare methods without these tools are just as hard to write securely and prone to issues. Client side DB ops are amazing and it sucks that so few people get to experience that just because of the incorrect notion that using methods is somehow more secure.
1 Like
I agree with you on that, however, I will stick to methods anyway.
Point is. I tried to get rid off the Update:insecure message bij adding the following code:
Meteor.users.deny({
update() { return true; }
});
but that does not make any difference. I don’t understand why it doesn’t make that insecure message go away.