Search code examples
meteorpublish-subscribeminimongo

meteor client minimongo retains subscribed collection info after logout. newly-logged-in-user sees old data

I'm using a publish to limit which data a user sees in their report

Meteor.publish("companyReport", function(){
if(!this.userId) return null;
var user = Meteor.users.findOne(this.userId);
var userCompany = user.profile.company;
var userRole = user.roles;
var userName = user.username;

if(function(){Roles.userIsInRole(Meteor.user(), ['chiefs']);})
{return ReportCollection.find({companyName:userCompany});}

else if (function(){Roles.userIsInRole(Meteor.user(), ['managers']);})
{return ReportCollection.find({companyName:userCompany, managerName:userName});}

else
{return null;}
});

Now, on the client side i can simply subscribe. It's generally working fine,except:

I noticed the following odd behaviour i don't want: if i am logged-in as a "chiefs" role user, and can see a company-wide report, if i logout and then login as a "managers" user, i can still see the data i am not supposedly allowed to see.

i know that my publications control mechanism is working ok, as when i login as a manager from another browser, i see the correct results (more limited)

i can only conclude that minimongo on the client is keeping the collection data from the old subscription as a "chiefs" user.
is this correct? if so, how do i flush this data upon logout? or? what do people usually do to avoid this?

thanks

Solution

  • You probably do need to flush this data on logout, which will involve saving the subscription handle and then stopping it:

    // when you subscribe
var reportHandle = Meteor.subscribe('companyReport');
// then when you want to log out
reportHandle.stop();
Meteor.logout();

    UPDATE

    If I understand your question, you want to make sure you're only ever flushing the minimongo when the user actually logs out:

    Meteor.logout(function(err) {
    if (err)
        console.log(err);
    else 
        reportHandle.stop();
});

    ANOTHER UPDATE

    Ah, now I see what you're asking. It depends on the package, as there's no onLogout event listener you can use for this. You can probably monkey-patch something quite easily, but I'm not sufficiently familiar with accounts-ui-bootstrap to say for sure.