Meteor - Check if user is logged in as administrator (Client - Side)

StackOverflow https://stackoverflow.com/questions/14682924

Question

I'm currently developing an app which needs users and administrators. What I do right now is, I create an admin account on the client with username 'admin' and a default password that should be changed over the accounts-ui.

I do this because creating a user like this:

Accounts.createUser({
    username    : 'admin',
    email       : 'test@test.com',
    password    : 'changethispasswordovertheuserinterface',
    profile     : { type : 'admin' }
});

doesn't work for me on server side. That means I just create the admin in my client.js and just use this code to check if the admin is logged in.

Template.admin.isAdmin = function () {
    var currentUser = Meteor.user();
    // Is this hackable?
    if (null !== currentUser) {
        if ('admin' === currentUser.username) {
            return true;
        }
    }
};

Is this the best way to approach this? And most importantly, is my site hackable like this (Could somebody fake it)?

Était-ce utile?

La solution

Yes this is hackable, one could pull up the chrome inspector and modify this quite easily. Or even faster, by typing something like Template.admin.isAdmin = function () { return true; } into Chrome's web console

The best approach would be to only provide the information to the client from the servers end if the user is an admin. So this would mean using Meteor.allow to ensure the database can only be changed by an administrative user, if peforming ops from the client end.

It also depends a bit on what you want to use 'isAdmin' for too. If its content, you could generate the html on the server's end and send it down to the client in a Meteor.methods. At the moment the templating system doesn't provide for locking down the UI on the clients end depending on what the user's document contains.

For any administrative commands, you could use a Meteor.call at which point the user is vetted on the server's and and the transaction is performed there.

Autres conseils

The answer on this thread works too AND the top-voted answer has code for a server side, Meteor method call.

Licencié sous: CC-BY-SA avec attribution
Non affilié à StackOverflow
scroll top