A code template for writing secure Meteor methods

Mar 25, 2016

Meteor methods provide secure means for database write. While allow-deny rules can also provide security, methods allow more fine grained control. This comes in handy when dealing with complex data models.

Here is a code template for writing secured methods in Meteor.

Meteor.methods({
    performTask({param1, param2}) {
        // check the params
        check(param1, String);
        check(param2, Number);

        // security check
        if (!Roles.userIsInRole(this.userId, 'role_name'))
            throw new Meteor.Error(500, 'user must have role_name to perform this task');

        // unblock, should be used with caution
        this.unblock()

        // define a response object, so that we don't end up returning undefined
        var res = {};

        // perform task

        // return the results
        return res;
    }
});