2

I'm using Meteor to create a web application.

The issue I'm dealing with is that I have a collection named Books, and I want it to be only available to the logged in users, and not for the anonymous users.

This is what I do:

if (Meteor.userId()) Meteor.subscribe('Books');

But this is not the best solution, because anonymous users can still get the Books collection information by opening up their browser console and calling Meteor.subscribe('Books');.

Unfortunately this is the only solution I can think of so far. I've heard of Meteor's allow and deny, but they seem to only affect when users insert, update, or remove on a collection (not preventing users from subscribing to a collection).

twasbrillig
  • 17,084
  • 9
  • 43
  • 67
sonlexqt
  • 6,011
  • 5
  • 42
  • 58

1 Answers1

2

You can restrict the subscriptions to logged in users from the server side, as follows:

From Meteor & Security: Setting the Record Straight by Sacha Greif:

Only publish posts if a user is logged in:

Meteor.publish('posts', function() {   if(this.userId){
    return Posts.find();   } });

In your case you need to change posts to books, properly capitalized to match other code.

This will cause manual attempts to subscribe while anonymous to come up empty.

Paul
  • 26,170
  • 12
  • 85
  • 119