Understanding “Not permitted. Untrusted code may only update documents by ID.” Meteor error

by

From the Meteor blog:

Changes to allow/deny rules

Starting in 0.5.8, client-only code such as event handlers may only update or remove a single document at a time, specified by _id. Method code can still use arbitrary Mongo selectors to manipulate any number of documents at once. To run complex updates from an event handler, just define a method with Meteor.methods and call it from the event handler.

This change significantly simplifies the allow/deny API, encourages better application structure, avoids a potential DoS attack in which an attacker could force the server to do a lot of work to determine if an operation is authorized, and fixes the security issue reported by @jan-glx.

To update your code, change your allow and deny handlers to take a single document rather than an array of documents. This should significantly simplify your code. Also check to see if you have any update or remove calls in your event handlers that use Mongo selectors (this is quite rare), and if so, move them into methods. For details, see the update and remove docs.

So basically, from my point of view, you almost never want the behavior to be able to update and delete arbitrary sets of documents from the client without any more specific knowledge (like the id of the document).

When prototyping—which I’m guessing is what you’re doing—I suppose it can get in the way, but then if you ever want to get your code into production, I believe the pros outweigh the cons. This also comes down to the security declarations (allow and deny) being easier to specify after this change.

Hope that gave you some more information.

More Related Contents:

  1. I’m trying to build a music and video player, is there good support available in meteor js? Pls. suggest / recommend
  2. How do I use an existing MongoDB in a Meteor project?
  3. How to serve a file using iron router or meteor itself?
  4. Publish documents in a collection to a meteor client depending on the existence of a specific document in another collection (publish-with-relations)
  5. Publish certain information for Meteor.users and more information for Meteor.user
  6. Meteor’s subscription and sync are slow
  7. What are the best practices for structuring a large Meteor app with many HTML template files? [closed]
  8. How can I deploy node modules in a Meteor app on meteor.com?
  9. How to get the user IP address in Meteor server?
  10. How to ‘transform’ data returned via a Meteor.publish?
  11. Apollo / GraphQl – Type must be Input type
  12. Uncaught TypeError: fs.readFileSync is not a function
  13. Callback after the DOM was updated in Meteor.js
  14. How to build a Meteor smart package
  15. Meteor.methods returns undefined
  16. Meteor: how to search for only distinct field values aka a collection.distinct(“fieldname”) similar to Mongo’s
  17. Ordering of the css and js files loaded by Meteor
  18. How can I completely uninstall and then reinstall Meteor.js?
  19. Is there a post createUser hook in meteor when using accounts-ui package?
  20. Best practice to create chat application with private rooms
  21. Understanding Meteor Publish / Subscribe
  22. Meteor: Proper use of Meteor.wrapAsync on server
  23. How do I use the Spacing Utility Classes in Bootstrap
  24. Background tasks in Meteor
  25. Meteor: difference between names for collections, variables, publications, and subscriptions?
  26. How efficient can Meteor be while sharing a huge collection among many clients?
  27. Publishing/subscribing multiple subsets of the same server collection
  28. What’s going on with Meteor and Fibers/bindEnvironment()?
  29. Verify user password in Meteor
  30. How can I debug my Meteor app using the WebStorm IDE?

Leave a Comment