search

LumaPictures / meteor-jquery-datatables

Sort, page, and filter millions of records reactively.
http://jquery-datatables.meteor.com
MIT License
98 stars 29 forks source link

Can't limit DataTables publication by user #29

Closed francisbyrne closed 10 years ago

francisbyrne commented 10 years ago

@austinrivas It seems that the change you've made to allow limiting the publication data won't work for my use-case, or any use-case involving restricting the dataset to a particular user.

In my example, this.userId is not available when I initialise on the server:

PortfolioTable = new DataTableComponent({
    subscription: 'holdings',
    collection: Holdings,
    query: {'userId': this.userId} // this.userId == undefined
  });

  PortfolioTable.publish();

I'm guessing this is because it only calls the query once when the server starts up (when it doesn't know any client details), instead of calling the query each time a new subscription is made, as other publish functions do.

Given this is the case, it seems like the usage of this feature is be pretty limited, security-wise. Or perhaps I have just called it incorrectly?

gjolund commented 10 years ago

That makes perfect sense, what if I make the query Param on the sever able to be a function that is executed from the this context of the publication?

Should be pretty straightforward, I'll play around with it in a minute. — Austin Rivas

On Sun, May 25, 2014 at 11:58 AM, Francis Byrne notifications@github.com wrote:

@austinrivas It seems that the change you've made to allow limiting the publication data won't work for my use-case, or any use-case involving restricting the dataset to a particular user. In my example, this.userId is not available when I initialise on the server:

PortfolioTable = new DataTableComponent({
    subscription: 'holdings',
    collection: Holdings,
    query: {'userId': this.userId} // this.userId == null
  });
  PortfolioTable.publish();

I'm guessing this is because it only calls the query once when the server starts up (when it doesn't know any client details), instead of calling the query each time a new subscription is made, as other publish functions do.

Given this is the case, it seems like the usage of this feature is be pretty limited, security-wise. Or perhaps I have just called it incorrectly?

Reply to this email directly or view it on GitHub: https://github.com/LumaPictures/meteor-jquery-datatables/issues/29

francisbyrne commented 10 years ago

@austinrivas Yeah I think that'd be perfect, let me know when it's done and I'll retest.

gjolund commented 10 years ago

ok @francisbyrne should be working now.

Usage looks like this

if Meteor.isServer
  RowsTable = new DataTableComponent
    subscription: "rows"
    collection: Rows
    # ##### Only return rows this user owns
    query: ( component ) ->
        component.log "userId", Meteor.userId
        return { owner: Meteor.userId }
    debug: "userId"

  RowsTable.publish()
francisbyrne commented 10 years ago

@austinrivas Cool, that works. However, I think it should be this.userId not Meteor.userId as it is called in a publish function, right? At least, that's what worked for me, Meteor.userId threw an exception.

gjolund commented 10 years ago

You should be able to, the this context in your query method should be the exact same as in a publication.

francisbyrne commented 10 years ago

@austinrivas Yep, what I meant was: this.userId works, but Meteor.userId doesn't work (at least it didn't work for me). I just thought I should mention it in case you use your above example in the docs.

gjolund commented 10 years ago

Just to be clear, isn't that the expected behavior inside a meteor publication?

francisbyrne commented 10 years ago

Yep, it is the expected behaviour. I was just saying I was thrown off by your example, which uses Meteor.userId. Not a big deal, just thought I'd mention in case you use that usage example in your docs.

gjolund commented 10 years ago

Ah I see, good catch. Feel free to update it and submit a pull request if you have the time