User profile security


#1

Hello,
I’m not sure if I’m gonna get an answer on stackoverlow. Can anyone answer me here?


#2

Would be nice if you quoted your entry on SO here instead of just linking it.

However:
Doing what the article says and doing:
Meteor.users.deny({ update: function() { return true; } });

Should do the trick. Actually didn’t know this hole existed.
Also, of course you have to validate data server side and do all important DB operations far, far away from the client!


#3

There is no hole.
The profile object in user profile is designed to be read/write for user.
But it is considered antipattern and I hope Session and profile object will be deprecated soon.


#4

I don’t know about you, but I consider something that allows the user to write any data they want, a security concern.