Menu
I have some Meteor methods and I want to secure them so that only certain users can call them from the client. However these methods are also used by the server. I am passed the userid in this.userid so I can check if the user is logged in and if they are allowed to make the call, no problem. But when I also need to call the method from the server side how do I determine that it was a server call so I can allow the method to execute. Checking that there is no this.userid to determine if its a server call allows un-authenticated users to call the method as well. I am looking for a way to determine if the method was called by the server so I can allow it and still prevent un-authenticated users from calling the method.
Meteor.methods({
makeCoffee: function (time) {
check(time, Number);
if(calledByServer || (Meteor.user() && Meteor.user().profile.usertype === 'coffee dude')){
//Makin' Coffee
}
else
throw new Meteor.Error(404, "Can't find my pants");
return "Coffee will be made at " + time;
}
246
this.connection will be null inside a server side method if the method was not called from a client
See the this.connection docs.
165
Looks like Meteor.call can be called from server side too now: http://docs.meteor.com/#meteor_call
Original answer:
Make it like this:
makeCoffee = function (time) { //code here }
Meteor.methods({
makeCoffeeMethod: function (time) {
if (calledByAllowedUser())
return makeCoffee(time);
else
throw new Meteor.Error(403, 'Forbidden');
}
});
Now you can call it on server bypassing the authentication.
23
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
