0

Are server-side methods also governed by publications? I thought a server-side method can modify whatever it wants.

In my case, in template's helper, I have Meteor.call('serverMethod', id) and then define serverMethod in collections/methods.js.

Through the publication, template only has access to one record (the id one), but that's the only one serverMethod sees.

But when I publish everything to template, serverMethod sees everything.

Isn't that odd? I thought the purpose of a server method is to be trusted, so that I can modify anything I need to without publishing the entire database? Is there something I'm missing?

My allow permissions are set fine, same as other parts of the app which work fine.

m52go
  • 343
  • 1
  • 3
  • 14
  • Calls to Meteor methods from the client are asynchronous, so it puzzles me that you would call one from within a Template helper. Could you explain your use case? – Donny Winston Jul 02 '14 at 18:40
  • I'm trying to update tags on related posts upon a user modifying tags on a single post in the browser. Concretely: browser is displaying the Toyota post. When the user adds the tag Japanese to Toyota, the server updates Camry, Corolla, and Land Cruiser to include the Japanese tag as well. – m52go Jul 02 '14 at 18:52
  • It's easiest to do it this way because the event is fired by the tags plug-in I'm using. No worries...I figured out what was happening! Thanks for looking in to it. – m52go Jul 02 '14 at 18:54

2 Answers2

1

Your initial assumptions are correct - methods on the server are "trusted code", and therefore have full access to your collections (publications and deny rules do not apply).

I think the confusion is that serverMethod is defined in a shared directory and therefore will run on both the client and the server (unless it's wrapped with a Meteor.isServer). So if the call is initiated on the client, it will run both versions. Depending on what the method actually does and how you are calling it, you may only see the result of the client-side call. The client version of a method is limited by what has been published to the client.

I suspect that inside of your helper you are doing something like:

var result = Meteor.call('serverMethod', id);

This says: "Call the client simulation of serverMethod and immediately return the result". In order to actually get the value from the server you'd need to use a callback. For example:

Meteor.call('serverMethod', id, function (error, result) { console.log(result); } );

If the above information is an accurate depiction of the problem, you now have another issue to deal with: you can't use the value of an asynchronous callback inside of a template helper. See this question for more information.

Community
  • 1
  • 1
David Weldon
  • 63,632
  • 11
  • 148
  • 146
  • And that was my issue. I was only looking at the browser errors and completely missing the server's side of the story--it was working fine there the whole time. Sorry for raising the question...it was pointless oversight on my part. Thanks for linking to that question about callbacks in helpers...it's not relevant to what I'm doing now but is still very informative. – m52go Jul 02 '14 at 18:59
0

Server side methods have access to everything and aren't subject to the allow or deny rules or publish methods

You have to manually check if the user has permissions to do something per method.

Maybe because the serverMethod is being passed the id from the client, so technically it only ends up seeing what the client can see? (since the id is whats passed back up to the server)

Tarang
  • 75,157
  • 39
  • 215
  • 276
  • You know what, I'm a fool. It was working the whole time. The browser console displays errors, but that's to be expected because of the limited publication. Looking back, there were no errors on the Meteor console, and upon checking the the database, the updates were being made all along. Sorry for my naivete...and thank you so much. I try everything I can before posting here, but sometimes I miss obvious things. – m52go Jul 02 '14 at 18:23