Search code examples
javascriptmeteorflow-router

meteor with flow-router: Do I have access to Meteor.User from within a flow-router trigger?

I believe that from security perspective, it is best to handle access to restricted URL in 2 places:

  • Routing level: Make sure no-one will be able to get to a route which is not permitted for
  • Template level: No restricted data will be showed before verifying permissions.

Iron-Router support the first way, but I want to use Flow-Router.

I found an article by Satya van He-men, Meteor: Using Flow Router for authentication and permissions
In This article he is using routing groups and triggers to "filter" routes by permissions.
But in this article he is using Meteor.loggingIn(), Meteor.userId(), Meteor.user() and Roles.userIsInRole() inside the triggersEnter: function of the FlowRouter object.

Is it possible that any of those functions will be undefined during the triggersEnter execution?
Is it safe to use them?
I like the pattern from the article, but want to make sure it is safe to use (or can become safe with few changes)

Solution

  • I think your reason for concern is valid it's possible because triggersEnter called just once I recommend reading the official tutorial on the Auth Logic Permission which is on the Template level and it's reactive.

    Previously, we did this in the router layer (specifically with Iron Router). However, that's not a good design and we don't recommend it.

    https://kadira.io/academy/meteor-routing-guide/content/implementing-auth-logic-and-permissions