Open diego2013 opened 9 years ago
truth is that we don't have code looking like: if (Meteor.user().profile.isAdmin) // do important admin things
since we are using alaning:roles to manage our roles, and this package seems to be free of this issue. We need to explore further how this could interfere with any functionality to manipulate user's profiles.
Another note: how would denying updated to the user collection affect the ability of administrators to update users' profiles (i.e. updating their roles) or the ability of users to update their own profiles (if that was desirable and available on the CSR)?
As per these advices we should make sure that the user's profile is no editable via the console's command line or similar "hacking" attacks.
I tested it and you can edit the user profile. You can't edit it to make yourself and admin just because we are user alaning:roles to manage our roles (and probably the package takes care of this issue), but we should follow Weldon's recommendations and add the deny rule: