Using email as admin access

palbergstrom · September 2, 2016, 2:17pm

Can you use the email as admin access? If so, can I safely use it on the client with Meteor.user().emails[0].address==‘my_email’?

macrozone · September 2, 2016, 2:20pm

never trust the client
there is a roles package which is suitable for this case: https://github.com/alanning/meteor-roles

palbergstrom · September 2, 2016, 2:22pm

I’ve seen that but might be a bit overkill for my needs. Thought I just could do a simple thing only for me using the email address.

macrozone · September 2, 2016, 2:26pm

There are some aspects you have to consider (no matter if you do a simple email check or using the roles-package):

prevent non-admin-users from seeing admin-ui (can be done on the client)
prevent non-admin-users from seeing admin-only-data (has to be done on the server (in publications))
prevent non-admin-users from manipulating admin-only-data (has to be done on the server (in methods))

So you can check if a user is an admin by checking his email, but you have to do this not only on the client.

msavin · September 2, 2016, 3:11pm

you can just make a secret code and whenever a method is called with that in the parameters, it runs