MeteorJS - How to prevent anonymous clients from Subscribing to a collection?

Question

I'm using Meteor to create a web application.

The issue I'm dealing with is that I have a collection named Books, and I want it to be only available to the logged in users, and not for the anonymous users.

This is what I do:

if (Meteor.userId()) Meteor.subscribe('Books');

But this is not the best solution, because anonymous users can still get the Books collection information by opening up their browser console and calling Meteor.subscribe('Books');.

Unfortunately this is the only solution I can think of so far. I've heard of Meteor's allow and deny, but they seem to only affect when users insert, update, or remove on a collection (not preventing users from subscribing to a collection).

Answer 1

You can restrict the subscriptions to logged in users from the server side, as follows:

From Meteor & Security: Setting the Record Straight by Sacha Greif:

Only publish posts if a user is logged in:

Meteor.publish('posts', function() {   if(this.userId){
    return Posts.find();   } });

In your case you need to change posts to books, properly capitalized to match other code.

This will cause manual attempts to subscribe while anonymous to come up empty.