Closed hamedhemmati closed 7 years ago
Have you written an appropriate "allow rule" for file 'write' permission?
See docs: https://github.com/vsivsi/meteor-file-collection#fcallowoptions
Also, sample app code: https://github.com/vsivsi/meteor-file-sample-app/blob/master/sample.coffee#L192-L197
Yes I have all the allow rules based on the documentation. If I switch the meteor.call to a client side insert then it works fine.
These are the rules I have on the server and I wanted to get rid of the insert and remove for security reasons by using a method.
Meteor.publish('myAvatar',
function (clientUserId) {
if (clientUserId === this.userId) {
return Avatars.find({ 'metadata._Resumable': { $exists: false },
'metadata.owner': this.userId });
} else { // Prevent client race condition:
return null; // This is triggered when publish is rerun with a new
// userId before client has resubscribed with that userId
}
}
);
// Allow rules for security. Should look familiar!
// Without these, no file writes would be allowed
Avatars.allow({
// The creator of a file owns it. UserId may be null.
insert: function (userId, file) {
// Assign the proper owner when a file is created
file.metadata = file.metadata || {};
file.metadata.owner = userId;
return true;
},
// Only owners can remove a file
remove: function (userId, file) {
// Only owners can delete
return (userId === file.metadata.owner);
},
// Only owners can retrieve a file via HTTP GET
read: function (userId, file) {
return (userId === file.metadata.owner);
},
// This rule secures the HTTP REST interfaces' PUT/POST
// Necessary to support Resumable.js
write: function (userId, file, fields) {
// Only owners can upload file data
return (userId === file.metadata.owner);
}
});
And does your "insert method" properly set the file.metadata.owner
property on the new file? The insert allow rule will not be triggered on a server-side insert, so you'll need to handle that in your method.
I see so the owner wasn't set. I just added
metadata: {
owner: this.userId
}
to my method and now it's working fine. Thanks for the help and the awesome package!
This is more of a question than an issue. I am trying to use a meteor method instead of allowing client side insert. I think I have everything done correctly but I am getting a 403 forbidden on the resumable upload.
On the client I have
and on the server I have this method
There seems to be a permission problem for uploading the chunks.