I'm using Meteor
to create a web application.
The issue I'm dealing with is that I have a collection named Books
, and I want it to be only available to the logged in users, and not for the anonymous users.
This is what I do:
if (Meteor.userId()) Meteor.subscribe('Books');
But this is not the best solution, because anonymous users can still get the Books
collection information by opening up their browser console and calling Meteor.subscribe('Books');
.
Unfortunately this is the only solution I can think of so far. I've heard of Meteor's allow
and deny
, but they seem to only affect when users insert, update, or remove on a collection (not preventing users from subscribing to a collection).
You can restrict the subscriptions to logged in users from the server side, as follows:
From Meteor & Security: Setting the Record Straight by Sacha Greif:
In your case you need to change
posts
tobooks
, properly capitalized to match other code.This will cause manual attempts to subscribe while anonymous to come up empty.