Security (React as well)

Question

Security (React as well)

Closed this issue 4 years ago · 3 comments

Svelte: https://svelte-tutorial.meteor.com/simple-todos/08-methods.html#8-2-Add-Task-Methods
React: https://react-tutorial.meteor.com/simple-todos/08-methods.html#8-2-Add-Task-Methods

The methods do this:

if (!this.userId) {
    throw new Meteor.Error('Not authorized.');
}

First I was confused what this is, but found the API docs. Because I wasn't sure what userId refers to (the tutorial adds a userId to the Task object as well).

Correct me if I'm wrong, but all this does is check if the user is logged in, so the error should be "Not authenticated". There is no check for authorization. Everyone can remove and edit everyone else's Tasks.

The methods docs use an editableBy method on the collection. I think the most security critical part of the whole tutorial should show how to properly do it. At least check if the userId matches.

Answer 1 · 2021-08-17T15:55:10.000Z

Oooof, this comes in "9.5: Check User Permission"

Answer 2 · 2021-08-17T15:57:12.000Z

I'll leave this open as a request to remove "9.5: Check User Permission" and integrate it into 8. It has nothing to do with publishing at all.

Answer 3 · 2021-08-26T20:55:07.000Z

Hi @Prinzhorn I agree with you that there isn't a directly relationship with the main topic of this step but this is done in this step because in the 9.2 we start to publish the tasks only of the logged user.

That is why it makes more sense to improve the security here instead of in the step 8.

Thank you for your feedback.