Allow/Deny rules are applied to Server operations
paolo opened this issue · 2 comments
Hi, I find your package really useful for a project I'm working on, so thanks a lot!
Here's the problem I've been having:
I usually deny all operations on the client, and expose server methods that clients may call, inside the server method I'm allowed to do any insert/update/remove. This works pretty well with insert/update/remove.
So I wanted to try the same approach with your package, deny all operations in the client, so they can't do MyCollection.batchInsert(), but define a server method where the server is in charge of executing the batch insert. this is currently not working since allow/deny rules are being checked even for server methods.
If I allow inserts, my server method works, but clients are now able to do MyCollection.batchInsert() now.
I've noticed this at batch-insert.js line 135:
if ( this.connection ) {
//server method called by client so check allow / deny rules.
}I believe removing the allow/deny checks inside this function should fix the problem, and thus this package would behave as collection operations in meteor.
Kind regards,
Paolo.
Thanks for reporting this. I have it fixed in my local version but want to
write a test for this use case. So I should have the upgrade released in
next few hours.
The fix you suggested breaks the allow/deny security for client calls. So
instead I am catching calls that originate in the server and taking them
straight to the node driver. This parallels how meteor's mongo package
works and I had just missed that logic step in previous readings.
On Wed, Apr 15, 2015 at 9:31 AM Paolo Castro notifications@github.com
wrote:
Hi, I find your package really useful for a project I'm working on, so
thanks a lot!Here's the problem I've been having:
I usually deny all operations on the client, and expose server methods
that clients may call, inside the server method I'm allowed to do any
insert/update/remove. This works pretty well with insert/update/remove.So I wanted to try the same approach with your package, deny all
operations in the client, so they can't do MyCollection.batchInsert(),
but define a server method where the server is in charge of executing the
batch insert. this is currently not working since allow/deny rules are
being checked even for server methods.If I allow inserts, my server method works, but clients are now able to do
MyCollection.batchInsert() now.I've noticed this at batch-insert.js line 135:
if ( this.connection ) {
//server method called by client so check allow / deny rules.
}I believe removing the allow/deny checks inside this function should fix
the problem, and thus this package would behave as collection operations in
meteor.Kind regards,
Paolo.Reply to this email directly or view it on GitHub
#4.
this should be fixed v1.1.9