Examples - How to do server side filter about meteor-roles HOT 6 CLOSED

Hi @warsamebashir ,

You'll need to perform that authorization check on both the server-side and the client-side.

In our app we have two similar checks, one for "email verified" and one for "accepted terms of service". Both live on the user object. On the server, we have an Auth.authorized function that takes the name of an action, user credentials, and optional data and dispatches to custom methods for each action. Each meteor call or publish function will first check with Auth before returning data or executing the requested action.

So you would check the user's billing status inside the authorized functions as appropriate.

On the client side, we have an authenticate filter that runs before most every route and redirects depending on user status. So if a user has logged in but the user's email isn't validated yet, then we redirect them to the Awaiting Validation template instead of the requested page.

Lemme know if that makes sense. If you'd like, you can use the example apps as a test bed and add the billing functionality in there. Send PRs and I'll modify as appropriate. That way I can help you directly and also other people will benefit from the improved examples. :-)

from meteor-roles.

That helps. Do you by chance have an example of the Auth.authorized function you are talking about. I would like to see how you have abstracted a way something which takes an action, credentials and dispatches. I have been looking for best practices around meteor as i am finding myself repeating the same checks in several places. THANKS by the way

from meteor-roles.

Yes, I can add it to the examples. We'll need some other simple actions
for our authorized users to perform. What do you suggest (emphasis on
simple)?

On Fri, Jan 17, 2014 at 10:29 PM, warsamebashir [email protected]:

Closed #25 #25.

—
Reply to this email directly or view it on GitHubhttps://github.com//issues/25
.

from meteor-roles.

In my current app, users attempt to check a balance owned by an entity. You have to have completed a form in order to view this balance. Right now, the users profile is where this field forms_completed: true | false is stored . I would like to do client side and server side checks for a route /view/balance/sheet_1. Does that make sense?

from meteor-roles.

Security-related things should never be stored in the user's profile since the user can freely modify it. user.profile is only intended for use for contact info and user preferences like firstname or favColor.

I'm pretty swamped with work for my startup now so I'd appreciate you starting the update to the example apps. For the first change, here's what I'd suggest:

1. Add an inArrears field to the user object
2. Add a check to the client-side routing to redirect if inArrears is true
3. Add a check to the server-side publish functions that stops the subscription if the user is inArrears

Send me a PR and I'll help out and add in the dispatching Auth.authorized function.

from meteor-roles.

Thanks, i will clone and update the examples folder for iron-router, then send a PR

from meteor-roles.