Updating user fields using Meteor.users().update


#1

I have a field that I added to the users collection called ‘farm’, and now i want to set it to ‘null’ because now the farm account has been deleted. I am currently doing this:

Meteor.users.update({_id: Meteor.user()._id}, {$set: {'farm': null}});, but it is spitting back a 403 error.

I tried setting allow/deny methods, but those don’t appear to be called. I currently set them in the /lib folder.

Any suggestions? I’m pretty stumped.


#2

To make changes to the user document (other than the profile object) you need to have the allow/deny rules set correctly. You will need to have at least:

Meteor.users.allow({
  update: function (userId, doc, fields, modifier) {
    return true;
});

However, something to make sure you’re clear on is - if you allow that, then any user can manually update that record from their browser regardless of logic in your app. In my apps, any changes to the user profile is all done via server methods.


#3

Ok only changing the user profile using server method sounds like a better plan actually. I will go with that. Thanks for the help with the above issue though! I had no idea why I was not being allowed to update users(I guess maybe for the better).


#4

I’ve got exactly the same code and despite it works only works in a temporary way, if I reload the page the update is working but always has the same value.

Meteor.users.allow({
  	update: function (userId, doc, fields, modifier) {
		console.log('UPDATE USER');
		return true; 
	}
});

Meteor.methods({
	addPublication: function (publications) {
		check(publications, Number);

		Meteor.users.update({ _id: Meteor.userId() }, {
			$set:{
				publications: publications,
			}
		});
	}
});

And on top of my controller:
Meteor.call('addPublication', Meteor.user().publications + 1);
So, the field publications is 0 by default but with that line is 1.

If I put that last line in a timeout I can see the value changing from 0 to 1 always.

Am I missing something?


#5

Are you running this code on the server, the client or shared?

Best way is to take a look at the guide on how to do this well:

You don’t want to use that allow on user records. There is no need for that, see also: https://guide.meteor.com/security.html#allow-deny


#6

The method call is the only part on the client side.
I’ll take another look to that link again anyway to be sure.


#7

I think your original issue is: you don’t publish that publications field. So JavaScript makes it nothing + 1 = 1 constantly.

Anyway you should really move away from allow and share the method on both client and server. As described in the guide. If you get one method right it’s fairly easy to do the other ones as well.


#8

I’ve got that field published here:

Meteor.publish('users', function() {
		return Meteor.users.find({}, {
			fields: {
				emails: 1,
				profile: 1,
				username: 1,
				publications: 1,
				followers: 1,
				following: 1,
				resume: 1,
				avatar: 1
			}
		});
	});

That is on the server side.

I can update my other 2 collections with the same way or just with update (with no method I mean). The only problem is when I try to update the user collection (which is a Meteor collection).


#9

I just figured out what was the problem.

I had to check if I had the new fields in my user collection in my onLogin function:

Accounts.onLogin(function(user) {
		if (!user.user.publications) {
    		Meteor.users.update(Meteor.userId(),{
    			$set:{
    				publications: 0,
    				followers: 0,
    				following: 0,
    				resume: '',
    				avatar: 'http://www.bcyk.org/Content/images/kisiler/avatar.jpg'
    			}
    		});
    	}