Could i use meteor-security in meteor method?

Question

Could i use meteor-security in meteor method?

thearabbit opened this issue 9 years ago · comments

Could i use meteor-security in meteor method like this:

Meteor.method({
   myMethod: function(roles) {
   Posts.permit('remove').ifHasRole({role: roles}).apply();
   }
});

And then we call it before insert or after submit.

Eric Dobbertin · Answer 1 · Tue Mar 24 2015 09:52:26 GMT+0800 (China Standard Time)

No it is a substitute for allow/deny, so it applies to client-side insert/update/remove calls only.

John Gonzalez · Answer 2 · Mon Sep 21 2015 01:42:07 GMT+0800 (China Standard Time)

The other hand. Could i use meteor-security in meteor method like this:

// In server/security.js
Posts.permit('remove').ifHasRole('admin').apply();

// In server/methods.js
Meteor.method({
   myMethod: function(post) {
     Post.insert(post);
   }
});

Eric Dobbertin · Answer 3 · Mon Oct 05 2015 10:31:40 GMT+0800 (China Standard Time)

If you add the dispatch:run-as-user package, you can use Meteor.runRestricted to apply allow/deny rules in server code such as a method:

Meteor.method({
   myMethod: function(post) {
     Meteor.runRestricted(function() {
       Post.insert(post);
     });
   }
});

I'm also working on an enhancement to this pkg to provide direct server support.