Calling the Method with custom userId from the client

[verdavaine]

When calling the method with custom iserId from the browser console for testing purpose: Todos.methods.updateText.run.call({ userId: 'abcd' }, {...}); It seems that :

• this.isSimulation is unavailable on client-side when used in the method Can we just replace if (!this.isSimulation) with if (Meteor.isServer)
• the method is only launched on client.

[stubailo]

Yes, it would be horribly insecure if you could call methods from the client with a custom user ID, and have those execute on the server. You should use meteor shell for debugging in that case, which is like the browser console but on the server.

As for this.isSimulation, I think we need to add a new function method.callWithUser which properly sets this.userId, this.isSimulation, and more things that "real" method calls expect.

Sure, you can use Meteor.isServer, that will do the same thing in most cases. Perhaps that is actually a better approach.

Anyway, I'm going to close this because you definitely shouldn't be able to pass a custom user ID to a method from the client, and if you could that would be a major security flaw. Perhaps some other package like @msavin's Meteor Toys can add a backdoor to call methods in this way.