reactioncommerce/meteor-security

Meteor-security for methods?

sebakerckhof opened this issue · 4 comments

Hello,

Does something similar exist for methods?
E.g. something like:

permit('METHODNAME').ifLoggedIn().ifCreated().apply();

meaning that the method can only be called if it passes through these checks, each check would then probably need to have the methods parameters somewhere on the scope or on this...

Cool idea. It should be possible to support method security, with lots of monkey-patching of Meteor internals.

@raix created https://github.com/DispatchMe/meteor-restricted-find to pull read security into allow/deny. A similar package could pull method security into allow/deny.

Then there would be a single security layer for Meteor, which ongoworks:security could wrap for a simple chainable API.

I like the idea of a single security layer with a chainable api. maybe we could extend check like @raix find?

Maybe look at using

https://github.com/matteodem/meteor-easy-security to accomplish this.

It has hooks for methods and you could then call in the hook.

return Roles.userIsInRole(this.userId, [role, roles], group)

Server side support added by 4a4c0ba in 1.3.0. See Readme.