2

I'm currently developing an app which needs users and administrators. What I do right now is, I create an admin account on the client with username 'admin' and a default password that should be changed over the accounts-ui.

I do this because creating a user like this:

Accounts.createUser({
    username    : 'admin',
    email       : 'test@test.com',
    password    : 'changethispasswordovertheuserinterface',
    profile     : { type : 'admin' }
});

doesn't work for me on server side. That means I just create the admin in my client.js and just use this code to check if the admin is logged in.

Template.admin.isAdmin = function () {
    var currentUser = Meteor.user();
    // Is this hackable?
    if (null !== currentUser) {
        if ('admin' === currentUser.username) {
            return true;
        }
    }
};

Is this the best way to approach this? And most importantly, is my site hackable like this (Could somebody fake it)?

Matteo Demicheli
  • 174
  • 4
  • 13

2 Answers2

3

Yes this is hackable, one could pull up the chrome inspector and modify this quite easily. Or even faster, by typing something like Template.admin.isAdmin = function () { return true; } into Chrome's web console

The best approach would be to only provide the information to the client from the servers end if the user is an admin. So this would mean using Meteor.allow to ensure the database can only be changed by an administrative user, if peforming ops from the client end.

It also depends a bit on what you want to use 'isAdmin' for too. If its content, you could generate the html on the server's end and send it down to the client in a Meteor.methods. At the moment the templating system doesn't provide for locking down the UI on the clients end depending on what the user's document contains.

For any administrative commands, you could use a Meteor.call at which point the user is vetted on the server's and and the transaction is performed there.

Tarang
  • 75,157
  • 39
  • 215
  • 276
  • okay, thanks already thought of that and I'll definitely gonna use that. Is there any reason for Meteor.createUser() not working on server side? I don't even get a proper 'Error' log on my side. – Matteo Demicheli Feb 04 '13 at 13:57
  • it should be `Accounts.createUser..`, it would return the new user's id but wouldn't log them in. Did you delete the existing admin user and try to create it on the server to see if it returns something? – Tarang Feb 04 '13 at 14:06
  • no, I'll try it, thanks. and yeah I meant `Accounts.createUser` of course – Matteo Demicheli Feb 04 '13 at 17:01
  • https://github.com/matteodem/Insan3Lik3-Homepage/commit/405b30cee7db7f17a38042fbc99fd3b0e39bb64a I tried to make everything as secure as possible – Matteo Demicheli Feb 06 '13 at 08:42
-2

The answer on this thread works too AND the top-voted answer has code for a server side, Meteor method call.

Community
  • 1
  • 1
jasonli
  • 9
  • 1