Using email as admin access


#1

Can you use the email as admin access? If so, can I safely use it on the client with Meteor.user().emails[0].address==‘my_email’?


#2
  1. never trust the client
  2. there is a roles package which is suitable for this case: https://github.com/alanning/meteor-roles

#3

I’ve seen that but might be a bit overkill for my needs. Thought I just could do a simple thing only for me using the email address.


#4

There are some aspects you have to consider (no matter if you do a simple email check or using the roles-package):

  • prevent non-admin-users from seeing admin-ui (can be done on the client)
  • prevent non-admin-users from seeing admin-only-data (has to be done on the server (in publications))
  • prevent non-admin-users from manipulating admin-only-data (has to be done on the server (in methods))

So you can check if a user is an admin by checking his email, but you have to do this not only on the client.


#5

you can just make a secret code and whenever a method is called with that in the parameters, it runs