So one of the features of Meteor is the ease in which you can run code on both the client and server side.
However, you can still put logic in the server directory if you don’t want it exposed to the client.
I would like to hear experiences from a security point of view about what logic you keep solely on the server side?
The reason I ask is I’m trying to decide whether my access rules to be server only. So I have a file called “AccessRules.js” and it just contains a host of functions such as “CanEditDocument(docId)” which will contain the business rules about when a user can edit a particular document.
Right now, this file sits on the server folder and I use meteor methods to access this file from the client. So I might have to go Meteor.call(‘CheckCanEditDocument’, docId) from the client side to see whether I can edit the document.
But Meteor methods work asynchronously. This is a problem when I’m trying to use this logic in handlebar helpers. So say, I have a button that I only want to display if I can edit the document.
{{#if canEditDocument }}
<button>Edit</button>
{{/if}}
My helper function below is not going to work because the Meteor call doesn’t return the result, the callback does.
canEditDocument: function(){
return Meteor.call("CheckCanEditDocument", docId);
}
So this means that whenever I load up a template I have to do all the Meteor.call access rule checks, and save them in session variables and then my canEditDocument helper reads from the Session variables. That just sounds really convoluted to me.
So I am questioning, are access rules safe on the client side? Is it dangerous if the user knows the conditions for which a document can be editted or any of these other business rules?
What have you guys generally put in the server only code? And do you put it in there because of security concerns or its code that only works on the server side.