meteor-tabular icon indicating copy to clipboard operation
meteor-tabular copied to clipboard
verified publisher icon Meteor-Community-Packages

allow function, selector is undefined

Open KusokDobra12 opened this issue 6 years ago • 1 comments

Hello i used allow function as the autor mentioned to filter the other users out, so they won't sensitive data.

I use like this:

new Tabular.Table({
    name: "Teams",
    collection: Teams,
    allow: function (userId, selector) {
        if (selector.userId !== userId && selector.userId !== +selector.userId) {
            return false; // not allowed to access another user's products
        }
    },
    columns: [
        {data: "team", title: "Team Name"},
        {data: "counter", title: "Players count"},
        {data: "last_played", title: "Last played"}
    ]
});

Then on client i use template called teams with selector defined like this:

Template.teams.helpers({
    selector() {
        return { counter: this.players_num, userId: Meteor.userId() }; 
    }
});

<template name="teams">
<div class="row">
   {{> tabular table=TabularTables.Teams selector=selector id="teams" class="table table-bordered"}}
 </div>
</template>

So i pass counter and userId fol filtering, but when i break point on allow i can see that second paramter selector is undefined, please help, how to properly pass this ? Or i misunderstood this? Basically i need to pass a filter by players + security so only current user can see his team.

Also another question, can i use allow to filter additional fields? Like for example i want to get from collection using team id, this team id is tored in Meteor.user.profile, so can i do something like this?

    allow: function (userId, selector) {
        if (selector.team_id !== Meteor.user().profile.team_id) {
            return false; // not allowed to access another user's products
        }
    }

Can i filter like that?

KusokDobra12 avatar May 22 '19 03:05 KusokDobra12

According to the docs, allow only passes a userId, not the selector. So that's why it's undefined. Use changeSelector if you want the selector on the server-side for checking security. See Modifying The Selector. But I'm pretty sure you can't use this to limit access to certain fields.

I don't think you can limit fields based on a selector. But you can use initComplete: function(settings, json) {...} and hide columns based on anything you want. But this isn't secure, as all the fields of your table are still on the client. It's just for the UI of the table to hide columns.

There's also allowFields but this only allows usage of the userId for calculations. No access to the selector unfortunately.

evolross avatar May 22 '19 20:05 evolross