Asteroid Publication Security #119
Description
Testing further,
I have a Meteor "Server" app ("MONGO_URL=mongodb://username:[email protected]:2222/test meteor --port 5000 run") that contains the following type services so far:
- Publications
- Methods
For example, here is one publication on "Server":
Meteor.publish("Names", function() {
if (! this.userId) {
throw new Meteor.Error('names.unauthorized',
'This data doesn\'t belong to you.');
}
return Names.find({ userId: this.userId, limit: 1 });
});
I also have a Meteor "Admin" app ("MONGO_URL=mongodb://username:[email protected]:2222/test meteor --port 5005 run") that does admin stuff, and needs access to the Publications and Methods of the "Server" app
- Subscribes to "Server" Publications
- Calls out to "Server" Methods
I get Publication data from the "Server" if I don't have security applied if (! this.userId) , but if applied like above, I get nothing from the "Server" Publication.
The "Server" and "Admin" Meteor apps both talk to the same MongoDB via the URL. The "Server" & "Admin" has Meteor Accounts installed.
How can I get the this working?