search

Meteor-Community-Packages / meteor-roles

Authorization package for Meteor, compatible with built-in accounts packages
http://meteor-community-packages.github.io/meteor-roles/
MIT License
921 stars 166 forks source link

how can i forbid Roles.addUsersToRoles in client side ex: browser console #259

Closed neutron92 closed 6 years ago

neutron92 commented 6 years ago

Please help me it is a big problem of security

how can i forbid Roles.addUsersToRoles in client side ex: browser console

SimonSimCity commented 6 years ago

Meteor states the following in the documentation:

Meteor allows the write only if no deny rules return true and at least one allow rule returns true.

Source: https://docs.meteor.com/api/collections.html#Mongo-Collection-deny

So you must have an allow-rule somewhere if this should work. Maybe you have the extension insecure installed which adds an allow-rule for every method of a collection. But this also means, you haven't followed the security-checklist yet available at https://guide.meteor.com/security.html#checklist.

If you don't know who defines this allow-rule, you can also set a deny-rule, which (as the quote above states) overwrites every allow-rule.