How to limit published fields
Shelagh-Lewins opened this issue · comments
Is there a way to prevent a Pagination from publishing all fields in a collection?
Apart from the hit to the database, it is not good to publish all user's sensitive information such as emails when displaying a paginated list of users.
I got some helpful tips from this issue:
It seems that in the Users collection, if you put in any fields limit, then the sensitive fields are hidden and all the public-type fields are shown. In the example below, adding fields: { username: 1 } to _options in the auth function changes the behaviour so that emails etc are hidden from the client, while username, _id AND profile are visible. This seems like odd behaviour but it is giving me what I want. The main issue seems to be lack of documentation of this feature, and it'd be great to know if anyone else has had the same experience.
I'm using Meteor.users.find().fetch() in the console to check what data is visible in the client.
this.Users = new Meteor.Pagination(Meteor.users, {
itemTemplate: "user_thumbnail",
templateName: "users",
perPage: 12,
availableSettings: {
filters: true,
sort: true
},
auth: function(skip, sub){
var userSettings = this.userSettings[sub._session.id] || {};
var userFilters = userSettings.filters || {};
var update = {};
update["profile.public_docs_count"] = {$gt: 0}; // this construction is required to query a child property
var _filters = _.extend(
{ $or: [update, {_id: sub.userId}]}, userFilters); // Only return users with published docs, and the user themself
var _options = {
limit: 12,
skip: skip,
fields: { username: 1 }
}
if (typeof userSettings.sort === "object")
_options.sort = userSettings.sort;
else
{
_options.sort = { 'profile.name_sort': 1}; // lower-case version of username
}
return [_filters, _options];
}
});