Set User Roles doesn't work about meteor-roles HOT 7 CLOSED

The calls to Roles have to come after onCreate completes; until then there is no user record for Roles to update.

There's a bit more about it here, as well as a link to an SO question about it: https://github.com/alanning/meteor-roles/blob/master/README.md#usage

On Aug 12, 2014, at 6:55 AM, bitomule [email protected] wrote:

I want to set user Roles inside onCreateUser and it doesn't work. I have:

Roles.setUserRoles(user, 'admin', 'tesgroup');
console.log(Roles.userIsInRole(user,'admin','tesgroup'));
And it's always false. Any ideas on this?

—
Reply to this email directly or view it on GitHub.

from meteor-roles.

Thanks @alanning , I'll try to expose my problem, maybe you can help me:

On register form I add some extra data as that user register form can include creating a group or not. That group is created inside onCreate and I want to add roles for that group inside onCreate.

If that's not possible, how can I add roles in server to that user and that group?

User's doesn't keep a reference to the group. The only place where that info is available is inside onCreate or in client and I don't want to allow client to add roles.

from meteor-roles.

Not sure the specifics of what you're doing but I'd suggest a Meteor method that performs the actual user creation and setup.

The 'server' section of https://github.com/alanning/meteor-roles#usage has a similar example to what your Meteor method would do: users are created using Accounts.createUser and then permissions are added with Roles.

from meteor-roles.

And is it possible to add group and roles to the user object? I can add roles using:

user.roles = ['role1']

Can I add a role to a group with something like that? I've tried:

user.roles['group'] = ['role1']

but it donesn't work.

Creating account server side is a bad idea as I have to send user password without any security to the server, no?

from meteor-roles.

You can manually do the same thing that the Roles package does and modify the user object. This explains the structure: https://github.com/alanning/meteor-roles/blob/master/README.md#changes-to-default-meteor-behavior Just be sure to save the user object back to the db or else it won't persist.

Anything done on the client-side is insecure because the client-side code executes on machines outside of your control and they can change it however they want. The server-side code is secure because you control the execution of code and manage access to resources (like the database).

All communications between the client and server need to be via SSL or else you don't know whether a 3rd-party has intercepted and/or modified the data or not. I'd recommend reading up on how application security works on the web. This may be a good place to start: https://www.owasp.org/index.php/Getting_Started

from meteor-roles.

Thanks @alanning ,

we're going to use SSL too, of course. I have finally solved setting user data manually:

user.roles = {}; 
user.roles['_' + options.groupId] = ['admin'];

And I create the roles on Meteor startup.

from meteor-roles.

Cool! Glad you got it working.

from meteor-roles.