Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

allow function, selector is undefined #432

Open
KusokDobra12 opened this issue May 22, 2019 · 1 comment
Open

allow function, selector is undefined #432

KusokDobra12 opened this issue May 22, 2019 · 1 comment

Comments

@KusokDobra12
Copy link

KusokDobra12 commented May 22, 2019
edited
Loading

Hello i used allow function as the autor mentioned to filter the other users out, so they won't sensitive data.

I use like this:

new Tabular.Table({
    name: "Teams",
    collection: Teams,
    allow: function (userId, selector) {
        if (selector.userId !== userId && selector.userId !== +selector.userId) {
            return false; // not allowed to access another user's products
        }
    },
    columns: [
        {data: "team", title: "Team Name"},
        {data: "counter", title: "Players count"},
        {data: "last_played", title: "Last played"}
    ]
});

Then on client i use template called teams with selector defined like this:

Template.teams.helpers({
    selector() {
        return { counter: this.players_num, userId: Meteor.userId() }; 
    }
});

<template name="teams">
<div class="row">
   {{> tabular table=TabularTables.Teams selector=selector id="teams" class="table table-bordered"}}
 </div>
</template>

So i pass counter and userId fol filtering, but when i break point on allow i can see that second paramter selector is undefined, please help, how to properly pass this ? Or i misunderstood this? Basically i need to pass a filter by players + security so only current user can see his team.

Also another question, can i use allow to filter additional fields? Like for example i want to get from collection using team id, this team id is tored in Meteor.user.profile, so can i do something like this?

    allow: function (userId, selector) {
        if (selector.team_id !== Meteor.user().profile.team_id) {
            return false; // not allowed to access another user's products
        }
    }

Can i filter like that?
@evolross
Copy link

According to the docs, allow only passes a userId, not the selector. So that's why it's undefined. Use changeSelector if you want the selector on the server-side for checking security. See Modifying The Selector. But I'm pretty sure you can't use this to limit access to certain fields.

I don't think you can limit fields based on a selector. But you can use initComplete: function(settings, json) {...} and hide columns based on anything you want. But this isn't secure, as all the fields of your table are still on the client. It's just for the UI of the table to hide columns.

There's also allowFields but this only allows usage of the userId for calculations. No access to the selector unfortunately.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@evolross @KusokDobra12