问题
I read this at the docs:
Database Everywhere. Use the same transparent API to access your database from the client or the server.
This is great, but I think there are some security issues. Providing full and transparent access to the database at client side you are exposed to bad users, which modify you JS code (it's really at his browser and he can do it) and add any database action that could retrieve/remove/update data that perhaps could be sensible.
Please, correct me if I'm wrong. Thanks!
回答1:
You are correct. The developers are currently working on Auth and security concerns. As of now everything is open and great for creating prototypes and test apps however they are vulnerable to users retrieve/remove/update data as they like.
See the developer response to this question here: Link
回答2:
Meteor now includes restrictions on client database writes (allow and deny) and a complete user accounts system.
回答3:
Secure your app by removing the insecure and autopublish packages:
meteor remove insecure autopublish
来源:https://stackoverflow.com/questions/10110743/accessing-to-db-at-client-side-as-in-server-side-with-meteor