0

I have a publication where I send a "record set" of items. Among these items, some have a field with a modification date (Type: Date).

I need to compare the date field with the current date in order to allow/forbid a user interface action. If my date is more than 24hours ago, the action is forbidden.

Initially, I wanted to create a dedicated publication in order to expose only the _id of the items with a Date field inferior to 24h from now.

When reading the excellent answer from @Dan Dascalescu here, I understood that I can't have different minimongo collections if the original Mongodb collection is the same: even if I use different subscriptions everything end up in the same minimongo collection/"record set".

I could just read and compare the Date field on client side and allow/forbid the action but is that secure? Can the client change the date manually? What would be the right way to achieve this?

Billybobbonnet
  • 3,156
  • 4
  • 23
  • 49
  • Is _[insert some action on some client]_ secure? No. Never. Server-side validation or your app is standing on top of a cliff, with a noose around the neck, sharp rocks and hungry sharks in the lava pit below it... and your client is behind it, waiting to push. – Kyll May 27 '15 at 17:16
  • I wasn't picturing it exactly like that but I had a similar idea on this :-) My main issue is then how to do this server-side in Meteor? Ideally, I would like to create a boolean field "older than 24h" from my Date field and add it to my subscription, server-side. – Billybobbonnet May 27 '15 at 17:20

1 Answers1

0

Any checks that you do to forbid an action have a security implication. There are approaches that you can use here:

  1. use Methods server side along with Meteor.call client side.
  2. use deny rules if it's collection related. That way you get isomorphic behavior for free and instant feedback on client without sacrificing security.
Adnan Y
  • 2,982
  • 1
  • 26
  • 29
  • I'll validate this answer. To achieve that, I will try a server Method. I struggle with it since yesterday but I guess it is another topic. Thanks! – Billybobbonnet May 29 '15 at 11:56