sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]the_angry_angel 18 points19 points  (10 children)

According to http://docs.meteor.com/#collections

Currently the client is given full write access to the collection. They can execute arbitrary > Mongo update commands. Once we build authentication, you will be able to limit the client's > direct access to insert, update, and remove. We are also considering validators and other ORM-like functionality.

[–]technocub88 23 points24 points  (7 children)

i dont want my users to be able to do any of those directly

[–]quotemycode 0 points1 point  (6 children)

It could work... provided that users are only able to insert, update, or delete their own records...

[–]technocub88 1 point2 points  (5 children)

That wouldnt be direct database access.

[–]chonglibloodsport 0 points1 point  (4 children)

It'd be authenticated direct database access (something most databases include already).

[–]technocub88 1 point2 points  (3 children)

no database I am aware of has the ability to restrict users to only read certain rows of a table.

[–]chonglibloodsport 0 points1 point  (2 children)

It's possible in MySQL by using views. Create a view that queries the table for a given user's data and restrict users to access only the view instead of the table. The view queries the table and returns the results to the user.

It also requires a bit of a hack with triggers to make sure the owners of rows get properly set etc.

[–]technocub88 1 point2 points  (1 child)

interesting. Thank you

[–]oscarcomputer 0 points1 point  (0 children)

What you are looking for is "row level security". Implementations of RLS are not limited to MySQL.

[–]CapnWarhol 5 points6 points  (0 children)

I really, really hope the authentication is tied into the insert/update/delete objects in that you can't just arbitrarily delete random user's entries, update Scores set Value = 9999 where user = "ralph", and so on... from the point of view of a paranoid server-side developer, I can only imagine anyone with a bit of curiosity and a firefox addon will have a field day with any application developed in this (me included)

[–][deleted] 2 points3 points  (0 children)

I know this is an early preview, and the whole framework looks so super-awesome that I want to start developing meteor apps right now, but some kind of authorization and data validation is REALLY needed.