Why is this Posts.allow not working


#1

I am trying to limit who can post to just admins. Why is this allowing non admins to post?

post in the data base made by non admins have “admin” : false in them and posts made by admins have “admin” : true; so that part working.

lib/post.js

Posts = new Mongo.Collection('posts');

Posts.allow({
  insert: function(post) { return post.admin == true; },
});

Meteor.methods({
  postInsert: function(postAttributes) {
    check(postAttributes, {
      text: String
    });

    var user = Meteor.user();
    var post = _.extend(postAttributes, {
      admin: user.admin
    });

    var postId = Posts.insert(post);
    return {
      _id: postId
    };
  }
});

#2

It doesn’t work because doing mongo operations inside methods bypass the allow rules. You need to do the admin check in the method itself. Read the explanation below the API details: http://docs.meteor.com/#/full/allow


#3

I generally shy away from using allow/deny in favor of controlling at the method level. I think @joshowens wrote something about this at some point…

Edit:
http://joshowens.me/meteor-security-201/
https://meteor.hackpad.com/Proposal-to-replace-allowdeny-with-insertupdateremove-methods-1WCvv4P9e2h (Thx @lai for pointing this out!)


#4

Yes and there is a Meteor Hackpad somewhere discussing the deprecation of allow deny rules.


#5

Since the source file is in the lib directory, the methods are executing on both the client. Server and allow/deny rules are not applied for server code.

Also, the parameters on the insert rule are incorrect, should be insert(userId, doc), per docs.

I also want to note that you are trusting the admin value in the post, which is coming from the client (which is inherently untrusted). The admin role should be retrieved from the logged-in user, server-side. This may not be the reason for this specific failure, but it’s worth noting.

As @lal pointed out, the docs are good on these points. Good luck!


#6

That was the exact point of my post! I saw the same exact type of code in my code review, people put in allow/deny rules but then use a method which bypasses allow/deny rules.