0

I am using Meteor 0.8.0.

For a simple chat applicaton I have a messages collection with

  • user_id
  • message text
  • timestamp

The user_id refers to a user from Meteor.users.

On the client, I want to dispay a list of the messages including the user name. Straithforward solutions involve publishing the messages and users collections and doing the 'join' on the client. However, I don't want to expose any user_ids to the client in any way.

Solutions I can think of:

  1. Modify the messages publication by removing user_id (easy with 'fields') and adding the user name (hard, I found this, but produced errors with Meteor 0.8.0, since it relies on internals which have propably changed.
  2. Use Meteor.methods/.call from a template helper, but that is difficult because of the asynchronous nature of Meteor.call. The solutions suggested here or here either don't work in loops or are quite complicated.

Is there a clean and simple solution for this in Meteor?

After having experimented with Meteor for a while, my general feeling is, that you quickly expose to much internal information and when you try to restrict it, it quickly becomes very tedious.

Community
  • 1
  • 1
robbit
  • 407
  • 3
  • 11
  • [This article may be able to help you](https://www.discovermeteor.com/blog/reactive-joins-in-meteor/), though it doesn't provide an easy method to do exactly what you want. [Here's an issue on the roadmap](https://trello.com/c/BGvIwkEa/48-easy-joins-in-subscriptions) which shows that server-side joins are a priority for the MDG, but might not be ready by 1.0. However, what is your security concern of publishing `userId`s? A `userId` should not be enough to compromise security, unless a serious flaw is revealed in Meteor's security model. – sbking Apr 03 '14 at 10:02
  • I am just trying to stick to the principle to reveal to the client only what's absolutely necessary. E.g. an attacker could use `userId`s to mine information using other published collections, which was not meant to be shown this way by the application. E.g. in the 'real-world' app Telescope, one can use the console to show for a post which users upvoted it, whereas this info is not on the web page and I'd assume that upvoting is meant to be anonymous. Now, this might be a design fault in Telescope, but I find it hard to keep track of the implications of publishing data in Meteor. – robbit Apr 03 '14 at 14:04

0 Answers0