Security mechanisms in Meteor.js
There has been a lot of controversy around the security in Meteor. Database everywhere does not scream security. We are using the same API for the client- and server-side code, and it does not take a genius to tell that we can also delete collections. After playing around for a while with the JavaScript console, we could easily delete all the Users in our previous example. You can always roll your own implementation for the security; for example, you can override the default server method handlers, making the Users and Images collections accessible from the client:
Meteor.startup(function () {
var collection = ['Users', 'Images'];
var redefine = ['insert', 'update', 'remove'];
for (var i = 0; i < collection.length; i++) {
for (var j = 0; j < redefine.length; i++){
Meteor.default_server.method_handlers['/' + collection[i] + '/' + redefine[j]] = function() {
console.log('someone is hacking you, oh no !!! Too bad for him...');
...
