Search code examples
javascriptmeteormeteor-autoform

After removing insecure unable to add recipes and getting error

After removing insecure i am unable to add new recipe and getting following error message Access denied [403] cfs_base-package.js:108 however if i add insecure message again i can add recipes again.Can you please help me to solve this problem Complete source code Github

collections.js

Recipes = new Mongo.Collection('recipes');
Reviews = new Mongo.Collection('reviews');
RecipesImages = new FS.Collection("recipesImages", {
    stores: [new FS.Store.GridFS("recipesImages")]
});

server/permissions.js

   RecipesImages.allow({
        insert: function(userId, doc) {
            return true;
        },
        update: function(userId, doc, fieldNames, modifier) {
            return true;
        },
        remove: function(userId, doc) {
            return false;
        },
        download: function(userId,doc) {
            return true;
        },
        fetch: null
    });

schemas.js

Recipes.attachSchema(new SimpleSchema({
    ownerId: {
        type: String
    },
    ownerName: {
        type: String

    },
    voters:{
        type:Array,
        optional:true
    },
    'voters.$':{
        type:String
    },
    name: {
        type: String,
        label: "Recipe Name",
        max: 100
    },

    ingredients: {
        type: [Object],
        minCount: 1
    },

    "ingredients.$.name":{
        type: String
    },
    "ingredients.$.amount": {
        type: String
    },
    description: {
        type: String,
        label: "How to prepare ",
    },
    time: {
        type: Number,
        label: "Time (Minutes)",
        min:0
    },
    likes:{
        type:Number,
        optional:true
    },
    image: {
        type: String,
        autoform: {
            afFieldInput: {
                type: "cfs-file",
                collection: 'recipesImages',
                label: 'Recipe Picture'
            }
        }
    }
}));
Solution

  • Got this working from your repo, the main issue is that whilst you are allowing insert to the RecipesImages FS collection you are not doing the same for Recipes collection so when it attempts to insert via simple schema it can do the image part but not the rest of the recipe document.

    Of course you will probably want to beef up this for security but the below should work:

        Recipes.allow({
      insert: function(userId, doc) {
          return true;
      }
    });

    There was also a validation error on the schema which popped up on the ownerName field not being populated so I had to set this to optional although I guess if you could insert with insecure on this is just a typo:

    ownerName: {
    type: String,
    optional: true
}