User Profile editing/hacking

diego2013 / CSR_Meteor

CSR prototype III. Implementation using the Meteor platform

1 stars 1 forks source link

User Profile editing/hacking #60

Open diego2013 opened 9 years ago

diego2013 commented 9 years ago

As per these advices we should make sure that the user's profile is no editable via the console's command line or similar "hacking" attacks.

I tested it and you can edit the user profile. You can't edit it to make yourself and admin just because we are user alaning:roles to manage our roles (and probably the package takes care of this issue), but we should follow Weldon's recommendations and add the deny rule:

Meteor.users.deny({
  update: function() {
    return true;
  }
});

diego2013 commented 9 years ago

https://github.com/oortcloud/unofficial-meteor-faq#user-content-subscriptions-and-methods

diego2013 commented 9 years ago

truth is that we don't have code looking like: if (Meteor.user().profile.isAdmin) // do important admin things

since we are using alaning:roles to manage our roles, and this package seems to be free of this issue. We need to explore further how this could interfere with any functionality to manipulate user's profiles.

diego2013 commented 8 years ago

Another note: how would denying updated to the user collection affect the ability of administrators to update users' profiles (i.e. updating their roles) or the ability of users to update their own profiles (if that was desirable and available on the CSR)?