Simple user checking in meteor, is this secure?

Question

I have a very simple app that does not need any roles just one or several users to be able to login and use the admin of the site.

I am doing a simple check in my admin template like so:

<template name="admin">
{{#if currentUser}}
{{loginButtons}}
  {{#if isUserAdmin}}
     show some stuff here...
  {{/if}}
{{ else }}
{{loginButtons}}
{{/if}}
</template>

Then in my helpers I have:

Template.admin.isUserAdmin = function(){
  var adminEmail = Meteor.user().emails[0].address;
  if( adminEmail === "[email protected]"){
    return true;
  } else {
    return false;
    //add some logic for displaying error template.
  }
}

Is this enough to keep the app secure or do I need something else in addition?

Answer 1

That's not enough. The primary rule is: never trust your client. Any part of client code can be substituted for anything else - in your case, the isUserAdmin function can be modified to return always true.

To be safe, you need to put safety filters on the server side.

1) Set up write / remove permissions for data that only admins should be allowed to modify. See http://docs.meteor.com/#allow

2) If you have some data that should not be visible to all users, but only to admins (such as your user e-mails, price history of a product, unpublished articles etc) make sure to check privileges in publish call. For example:

Meteor.publish('unpublishedArticles', function() {
    if(!this.userId) return null;
    var user = Meteor.users.findOne(this.userId);
    if(user.admin) return Articles.find({published: false});
    return null;
});

Again, it's important that the data is filtered in the publish as subscribe calls can be easily tampered.

3) Also, it's not wise to have your email embedded directly in the client code. It's better (and easier to use down the road) to mark privileged users with admin = true field.

These steps should be enough to make your app secure.