New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Meteor.users update to user.profile forbidden #809

Closed
belisarius222 opened this Issue Mar 14, 2013 · 10 comments

Comments

Projects
None yet
5 participants
@belisarius222

belisarius222 commented Mar 14, 2013

This was broken by the recent security change in Meteor 0.5.8.
From the docs:

Users are by default allowed to specify their own profile field with Accounts.createUser and modify it with Meteor.users.update. To allow users to edit additional fields, use Meteor.users.allow.

My dev environment has the autopublish and insecure packages turned on.

Here is an app that throws the "access denied" error: https://github.com/belisarius222/user-permissions-test online at http://user-permissions-test.meteor.com

When I add an allow function for Meteor.users, it does work correctly.

@belisarius222

This comment has been minimized.

belisarius222 commented Mar 14, 2013

update: I thought the problem might have just been that the command I was running was changing a field of the profile before the profile existed, but this bug also happens when I try to set the profile field with:
Meteor.users.update(Meteor.userId(),{$set: {profile: {herp:'derp'}}});

Hmm, I guess there's a possibility that I've misread the docs and that the profile field can only be created by Accounts.createUser, not by client code. If so, I think some docs clarification might be in order.

@glasser

This comment has been minimized.

Member

glasser commented Mar 14, 2013

What error do you get?

@glasser

This comment has been minimized.

Member

glasser commented Mar 14, 2013

Oops! Somehow the change to the Meteor.users.allow that Nick and I both distinctly remember making last night doesn't appear to have been released! Good news is the bug just blocks valid updates, not vice versa. I will push a fix to devel when I get home tonight and we'll release tomorrow.

@belisarius222

This comment has been minimized.

belisarius222 commented Mar 14, 2013

Ok cool. Thanks for the quick turnaround on the security fix, btw!

On Wed, Mar 13, 2013 at 11:04 PM, David Glasser notifications@github.comwrote:

Oops! Somehow the change to the Meteor.users.allow that Nick and I both
distinctly remember making last night doesn't appear to have been released!
Good news is the bug just blocks valid updates, not vice versa. I will push
a fix to devel when I get home tonight and we'll release tomorrow.


Reply to this email directly or view it on GitHubhttps://github.com//issues/809#issuecomment-14884268
.

glasser added a commit that referenced this issue Mar 14, 2013

@glasser

This comment has been minimized.

Member

glasser commented Mar 14, 2013

Fixed on devel. Sorry Ted!

@n1mmy

This comment has been minimized.

Member

n1mmy commented Mar 14, 2013

Released in 0.5.9.

@joshorig

This comment has been minimized.

joshorig commented Nov 9, 2013

Using 0.6.6.3

I seem to get the following error when trying update the user profile:

Code:
Meteor.users.update(Meteor.userId(),{$set: {profile: {email:'test'}}});

Error:
error: 404, reason: "Method not found", details: undefined, message: "Method not found [404]", errorType: "Meteor.Error"…}

@glasser

This comment has been minimized.

Member

glasser commented Nov 12, 2013

@joshorig That seems like a different issue. File a new bug report with a complete reproduction recipe starting with git clone. https://github.com/meteor/meteor/blob/devel/Contributing.md#filing-bug-reports

@nicholasalanbrown

This comment has been minimized.

nicholasalanbrown commented Mar 15, 2015

Hmm, I'm stil seeing this issue when running this update on client-side code:

Meteor.users.update({_id:Meteor.userId(}, { $set: {'profile.name': name} });

I get an "Access denied" error on the client. Has this regressed again, or do I need to specify allow rules to update profile fields?

@glasser

This comment has been minimized.

Member

glasser commented Mar 28, 2015

@nicholasalanbrown That seems like a different issue. File a new bug report with a complete reproduction recipe starting with git clone. https://github.com/meteor/meteor/blob/devel/Contributing.md#filing-bug-reports

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment