collections - MeteorJS - How to prevent UnloggedIn Users from fetching database? -

collections - MeteorJS - How to prevent UnloggedIn Users from fetching database? -

i'm populating app using meteorjs. there's 1 security issue need prepare in app, anonymous user can freely utilize this:

meteor.users.find().fetch()

...in console current users' information. , have packages insecure & autopublish removed.

when publish users collection server, did this:

meteor.publish 'users basic info', -> meteor.users.find {}, fields: "emails" :1 "profile" :1

but when clients retrieve info using meteor.users.find().fetch(), got more fields restricted, illustration position, roles etc...

hope guys can help me this. much in advanced !

your publish function returning user documents client have empty object query, why client can see user data. need next (apologies, don't utilize cs):

meteor.publish('users basic info', function() { homecoming meteor.users.find({ _id: this.userid }, { fields: { profile: 1, emails: 1 }); });

note this.userid constant opposed reactive variable, whole publish function reruns when logged in user changes (including null), should work fine.

are position, roles, etc. fields not subfields of profile? if they're not , have no other publish function user info (and autopublish removed), it's not clear why can see fields on client.

collections meteor fetch publish