3

What is actual reason and how should be minimongo used in meteor? For security, client shouldn't have access to queries. So they should be kept only on server. Therefore on client should not be queried anything anyway.

Even if code for queries would be kept on client, data on server should not be updated directly by client, but executed operations should be sent to server and server should contact Mongo and execute the operations. Do I understand this part correctly? Is this reason of allow/deny rules?

But still, meteor docs consider allow/deny rules to be not secure enough and one should still not allow such writes. Do I understand this second part correctly?

If so, then what is reason of using minimongo? Is it just for prototyping? If I want to have highest security and hence avoid using allow/deny (disallowing everything) then can I remove minimongo, or is it required and still used for something? For what?

Thanks.

Márius Rak
  • 1,356
  • 2
  • 15
  • 35

1 Answers1

4

Since the following is too short for a comment, I will create it as an answer. I will make no claims that it is complete. Hopefully it explains the situation well enough.

Initially minimongo has been designed to reflect operations on collections "as if they would appear on the server side". Meteor automatically syncs the executed operation with the server side collection - saving you lots of time in regards of design and development.

Allow / deny were invented as an extra layer of control, so clients would only be able to manipulate the data involving operations defined in allow/deny.

However, a critical security vulnerability has been found, which is why this is now discouraged and server side methods should be used instead.

You can try this yourself by creating a collection and setting allow to true for insert, update, delete and just execute some of these operation on the client. A neat feature but unfortunately obsolete (not even sure if 100% working in newer versions).

But that's not all! Still you can make use of minimongo when it comes to query operations on the client involving cursors. Very powerful concepts include cursor.observe and cursor.observeChanges. You also can create complex queries that would require a lot of effort if using traditional iterative approaches with arrays.

Finally minimogno is still the destination of your synced documents (that are subscribed by clients and published by the server). It represents a projection of data, that has can be defined up to the most finest within a publication.

Jankapunkt
  • 8,128
  • 4
  • 30
  • 59