Why {{#if}} cant't work well


#1

I wanted to role my users,so i wirte some if code, but they can’t work at all What’t wrong?my code is:
Template:
{{#if ownId}}to this point {{/if}}
helpers:
Template.user.helpers( {
ownId: function () {
return this.userId === Meteor.userId()
}})

So,what’ wrong with it ? The and text can’t appear.and i was thought for three days.Now,I am really crazy about it


#2

what is the data context (the this object) within the helper?

also, I hope you don’t rely on helpers to hide sensitive data as it can be easily bypassed


#3

this can call some method. so, it should be can call userId cross-domain


#4

I have no idea about it


#5

I think, ’ this ’ can call meteor’ method – userId,so, there is no data in this helper . Must i make data? what data should i write? Thank you.
P.S can you give me some advice to hide sensitive data?


#6

Add this to your helper:

Template.user.helpers( {
  ownId: function () {
    console.log(this);
    return this.userId === Meteor.userId();
}})

Have a look in your browser console to see what is being output for this.
That helper will only work if this contains the userId.
For that to happen, the context of that helper needs to have that data…


#7

return null…,but i can’t find a way to get user data to campare with Meteor.userId


#8

thank you a lot~ Should i do a Mongo find?


#9

So in that template. You must be loading some data from a collection?

You are checking ownership of something right?
If you are just checking if someone is logged in you can use:

{{#if currentUser}}user is logged in{{/if}}

If you’re checking that the current user is the owner of some sort of data that is being loaded. Then you need to have that data collection loaded as the context for the template and helpers. Otherwise you’re not going to be able to use the data.

It also only really makes sense if you are publishing data that is both the users and other users, for example a list of threads in a forum. Some of them are going to be owned by the current user, some not. If you are only publishing the current users data, for example a list of private messages, then you don’t need to do a check with a helper.

How are you publishing information to the client? Is there a mix of owners of that data in the publication? (ie. forum threads) or is it single owners (private messages), and you think this is an extra step for security?


#10

Thank a lot, that’s really a good idea.I can do a single page to disploy their message. it will be most safety. P.S I am doing a little forum now~
Thanks again :blush:


#11

You have to remember that, just because a helper is hiding something from the user doesn’t mean the user can’t find that information. The client has access to all the data that the helper has access to, whether a helper is displaying it or not.
If the collection is called Threads and has all the forum threads in it, including ones with an attribute hidden. You might use a helper to not display any threads that have hidden = true.
However the client can still see that data by just running Threads.find({hidden: true}).fetch() in their console.

You must not publish those threads from the server to the client if you want it to be secure…


#12

If you structure your Meteor app like almost every other developer, then you are using Iron.Router to get your templates rendered.

When you define a route in Iron.Router, you can specify which template should be rendered (typically to {{> yield}}) – the easiest way is to give the route the same name as the template, then it will be found automatically. (Some may still be doing things in a more procedural manner inside the action function passed to the route.)

There is another way of defining routes, though, other than the action function, and I like this other way much better and always use it: Instead of passing an action function as the second argument to Router.route, you can pass an object – a route map. This gives a better overview, I think.

Anyway, maybe you already knew all those things… :zzz: :wink:

What I am really getting at, is how to fill a template’s context with data. Inside a template helper, event or hook, the keyword this refers to the data context of the current template; in other words, in your example, this should have been an object with at least one property, userId, holding some value.

When defining a route in Iron.Router, it is possible to make use of a property named data on the route map (or, less conveniently, on an options object passed as the second argument to this.render inside an action function).

The data property must be a function and whatever is returned from that function, that is the context of the current template – that is, the value of this inside your helper. Most of my routes in a normal app look like this:

Router.route("/view/:_id", {
  name: "appViewTemplate",

  data: function () {
    return AppDocuments.findOne(this.params._id);
  }
});

Most of the time – maybe even by far – the data function returns the result of a findOne query, since it is natural to present one document on one page/route. It could also be the result of a find query, in which case the template will contain a {{#each this}} block helper that knows how to iterate over a collection cursor.

It is possible to return a plain object or something else from the data function, but I don’t think it’s a very common use case.

.


A few comments about security:

I imagine that you do the comparison – this.userId === Meteor.userId() – to check whether the current user is the owner of the current document, which was meant to be the context. (By the way, just for reference :straight_ruler: – usually, the field that holds the user id of a document’s creator/owner is named creatorId.)

So, if the two user id’s don’t match, don’t show the content of the document. But the problem with this approach is that anyone who knows how can open the console and inspect the document, since it has already been sent to the browser.

The way to manage authorization and security in Meteor is through publications. Meteor methods are important for building secure apps, too, but more in the domain of business logic as opposed to data.

I can recommend reading some of the great tutorials out there – ‘Discover Meteor’ is an obvious choice. There are also a large number of instructional videos, by now.

Good luck!


#13

Thank you for your advice :smile: I will rember it .
Secure is first.


#14

Dear,after read your reply for four time, I found you.are so understand my idea. And i have more confidence to do it than before :sunny:
Thanks and thanks a lot .
My grateful can’t deploy by words.
:smiley:


#15

Nice response :smile:


#16

Very nice! :four_leaf_clover: :hatching_chick: