meteor-astronomy
meteor-astronomy copied to clipboard
forceUpdate-flag breaks authorization with insecure Classes.
When my class is not secured and I try to update a document from the client using { forceUpdate: true }
, my Astronomy event-based authorization system fails (not allowing the operation when it actually should allow).
If I remove the forceUpdate
-flag from the save
-call, everything works as before.
Another way to "fix" it is to also apply simulation: false
on the same save
-operation.
Let me know if you need a repro and I'll try to come up with one.
Yep reproduction would be handful :)
Actually, I think these two are linked: https://github.com/jagi/meteor-astronomy/issues/649
In my case where forceUpdate: true
was causing issues I was also fetching only some fields of the documents (on the client), and also specifying which fields to save, like so:
doc.save({ fields: ['order'], forceUpdate: true });
I could fix the issue in three ways:
- Remove
forceUpdate: true
- Remove
fields
attribute from thefind
method call, thus fetching all fields - Add
simulation: false
to thesave
-call
Still working on the reproduction, but I'm missing something...
So, using forceUpdate
just requires you to have all fields in the actual document object you are updating, it's not enough to have them on the client. If forceUpdate
is omitted, then all you need is the field you are updating.
Please provide reproduction so I can easily work on a fix
I will, sorry it's taking a while, I'm in a tight spot currently with work.