Izack Izack - 7 months ago 47
Javascript Question

meteor with flow-router: Do I have access to Meteor.User from within a flow-router trigger?

I believe that from security perspective, it is best to handle access to restricted URL in 2 places:


  • Routing level: Make sure no-one will be able to get to a route which is not permitted for

  • Template level: No restricted data will be showed before verifying permissions.



Iron-Router
support the first way, but I want to use
Flow-Router
.

I found an article by
Satya van He-men
, Meteor: Using Flow Router for authentication and permissions

In This article he is using routing groups and triggers to "filter" routes by permissions.

But in this article he is using
Meteor.loggingIn()
,
Meteor.userId()
,
Meteor.user()
and
Roles.userIsInRole()
inside the
triggersEnter:
function of the
FlowRouter
object.




Is it possible that any of those functions will be undefined during the
triggersEnter
execution?

Is it safe to use them?

I like the pattern from the article, but want to make sure it is safe to use (or can become safe with few changes)

Answer

I think your reason for concern is valid it's possible because triggersEnter called just once I recommend reading the official tutorial on the Auth Logic Permission which is on the Template level and it's reactive.

Previously, we did this in the router layer (specifically with Iron Router). However, that's not a good design and we don't recommend it.

https://kadira.io/academy/meteor-routing-guide/content/implementing-auth-logic-and-permissions