meteor-astronomy icon indicating copy to clipboard operation
meteor-astronomy copied to clipboard

Published 20 hours ago verified publisher icon jagi

forceUpdate-flag breaks authorization with insecure Classes.

Open arggh opened this issue 6 years ago • 6 comments

When my class is not secured and I try to update a document from the client using { forceUpdate: true }, my Astronomy event-based authorization system fails (not allowing the operation when it actually should allow).

If I remove the forceUpdate-flag from the save-call, everything works as before.

Another way to "fix" it is to also apply simulation: false on the same save-operation.

Let me know if you need a repro and I'll try to come up with one.

arggh avatar Oct 20 '17 14:10 arggh

Yep reproduction would be handful :)

lukejagodzinski avatar Oct 21 '17 08:10 lukejagodzinski

Actually, I think these two are linked: https://github.com/jagi/meteor-astronomy/issues/649

In my case where forceUpdate: true was causing issues I was also fetching only some fields of the documents (on the client), and also specifying which fields to save, like so:

doc.save({ fields: ['order'], forceUpdate: true });

I could fix the issue in three ways:

  1. Remove forceUpdate: true
  2. Remove fields attribute from the find method call, thus fetching all fields
  3. Add simulation: false to the save-call

arggh avatar Oct 21 '17 14:10 arggh

Still working on the reproduction, but I'm missing something...

arggh avatar Oct 21 '17 15:10 arggh

So, using forceUpdate just requires you to have all fields in the actual document object you are updating, it's not enough to have them on the client. If forceUpdate is omitted, then all you need is the field you are updating.

arggh avatar Oct 21 '17 17:10 arggh

Please provide reproduction so I can easily work on a fix

lukejagodzinski avatar Oct 22 '17 18:10 lukejagodzinski

I will, sorry it's taking a while, I'm in a tight spot currently with work.

arggh avatar Oct 23 '17 10:10 arggh