Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Meteor.users.allow never fires, but Meteor.users.deny works

Tags:

javascript

meteor

I have a Meteor application with autopublish removed.

In this app, I want to allow administrators to crud any user, but other users should only be able to update their own. With a simple Meteor.users.allow, the update function never gets called (that I can tell), but if I user Meteor.users.deny and reverse the logic, it works fine.

There is only one Meteor.users.allow function in my app. I can live with using deny, but can anyone tell me what I'm doing wrong with allow?

My allow function, which never logs anything:

console.log("Setting Meteor.users.allow");
Meteor.users.allow({
  insert: function (userId, doc) {
    // only admin can insert 
    var u = Meteor.users.findOne({_id:userId});
    return (u && u.isAdmin);
  },
  update: function (userId, doc, fields, modifier) {
    console.log("user "+userId+"wants to modify doc"+doc._id);
    if (userId && doc._id === userId) {
      console.log("user allowed to modify own account!");
      // user can modify own 
      return true;
    }
    // admin can modify any
    var u = Meteor.users.findOne({_id:userId});
    return (u && u.isAdmin);
  },
  remove: function (userId, doc) {
    // only admin can remove
    var u = Meteor.users.findOne({_id:userId});
    return (u && u.isAdmin);
  }
});

My deny function, which logs and works:

console.log("Setting Meteor.users.deny");
Meteor.users.deny({
  insert: function (userId, doc) {
    // only admin can insert 
    var u = Meteor.users.findOne({_id:userId});
    return !(u && u.isAdmin);
  },
  update: function (userId, doc, fields, modifier) {
    console.log("user "+userId+"wants to modify doc"+doc._id);
    if (userId && doc._id === userId) {
      console.log("user allowed to modify own account!");
      // user can modify own 
      return false;
    }
    // admin can modify any
    var u = Meteor.users.findOne({_id:userId});
    return !(u && u.isAdmin);
  },
  remove: function (userId, doc) {
    // only admin can remove
    var u = Meteor.users.findOne({_id:userId});
    return !(u && u.isAdmin);
  }
});
like image 988
Anderson Wiese Avatar asked Sep 17 '13 02:09

Anderson Wiese

1 Answers

Did you make sure to put your Meteor.users.allow code in the server?

I was running into the same problem while using an allow in the client and not the server code.

like image 127
tiagosilva Avatar answered Oct 11 '22 14:10

tiagosilva
Sign in to Comment

Related questions

.net WebApi OData + breeze => [Q] Unhandled rejection reasons (should be empty)
How can I access a public Google Drive file by XHR (CORS) without authentication?
Convert AudioBuffer to ArrayBuffer
Adding div dynamically, but images very slow to load
Disabling LocalStorage on PhantomJS for clean testing?
100% height and CSS on mobile
Pattern for no-allocation loops in JavaScript?
Why do text inputs have extra padding?
What happens with Braintree.js if Javascript is turned off?
What is the difference between init() and window.init()?
Is there a difference between x.f.call(x, ...) and x.f(...)?
How to get most specific X such that y instanceof X is true? [duplicate]
Socket.IO and IE8 - jsonp-polling connections always failing
d3 Sankey - Is it possible to affect or decide the placement of nodes?
Leave space at the top of every printed page
Adding copy & paste functionalities to a custom menu of a webapp
Add a code editor to a textarea via console/bookmarklet
Maintain fullscreen mode while refreshing in javascript
Google Not Properly Caching My AJAX Crawlable Application?
AJAX failing silently

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!