Is it insecure to just validate with SimpleSchema, and not use allow/deny rules?

Question

I am using SimpleSchema (the node-simpl-schema package) in an isomorphic way. Validation messages show up on the client as well as from meteor shell.

My question is whether or not this set up is actually secure, and if I need to also write allow/deny rules.

For example:

SimpleSchema.setDefaultMessages
  messages:
    en: 
      "missing_user": "cant create a message with no author"

MessagesSchema = new SimpleSchema({
  content: {
    type: String,
    label: "Message",
    max: 200,
  },
  author_id: {
    type: String,
    autoform:
      defaultValue: ->
        Meteor.userId() 
    custom: ->
      if !Meteor.users.findOne(_id: @obj.author_id)
        "missing_user"
  },
  room_id: {
    type: String,
  }
}, {tracker: Tracker})

In meteor shell I test it out and it works as intended.

> Messages.insert({content: "foo", author_id: "asd"})
/home/max/Desktop/project/meteor/two/.meteor/local/build/programs/server/packages/aldeed_collection2-core.js:501
      throw error;                                                                                                    // 440
      ^
Error: cant create a message with no author

Should I duplicate this validation logic in my allow/deny rules? Or can I let my allow function always return true, like I'm doing now?

Answer 1

I have some very simple rules that ensures the application is secure:

1. Do not use allow/deny rules - deny all client-side write requests.
2. If the client needs to write something in the database, they must do so through Meteor methods.
3. Ideally, the Meteor methods would call a function (which can be shared code, or server-specific code), and then check for the validity of the database modifier (using the Schema) would be done inside these functions.
4. Optionally, you can also create client-side methods, which would clean the object and carry out its own validation using the schema before calling the server-side method.