Up to now, the Digits system has used the “insecure” package, which enables clients to update the Mongo database in any way they want. In this experience, you’ll remove the insecure package and replace the calls in your client code with Meteor method invocations. This allows you to control the way a client modifies the database.
Before starting this WOD, please read through Meteor Tutorial: Security with methods. You may also find Meteor Guide: Methods useful to skim before starting this WOD.
As with the earlier Digits WODs, feel free to watch me solve it first, and then try it yourself.
Before starting this WOD, be sure to have merged the branch containing the “final” version of your previous WOD into master. See the screencast in the Readings for an illustration.
Note that switching branches on a running meteor application has the potential to put the application into an inconsistent state. To minimize problems, whenever you switch branches while doing meteor development, it is best to:
meteor reset
to clear out the contents of the database.meteor --settings ../config/settings.development.json
.Ready? Let’s begin:
Start your timer.
Create and switch to a branch called “methods-1” in your local repository. You will do all the work for this WOD in this branch.
Run meteor remove insecure
, and then meteor --settings ../config/settings.development.json
. After logging in, you will find that while you can see the Contacts associated with a user, you can no longer add new Contacts or edit existing ones.
Following the approach in Meteor Tutorial: Security with methods, create a method named “contacts.insert”. This method should:
Since this is a bit complicated to figure out the first time, here is example code for the insert method:
'contacts.insert': function insertContact(contact) {
check(contact, Object);
if (!this.userId || this.userId !== contact.owner) {
throw new Meteor.Error('Not signed in or attempting to add a contact you do not own.');
}
const schemaContext = ContactsSchema.namedContext('contacts.insert');
schemaContext.resetValidation();
schemaContext.validate(contact);
if (schemaContext.isValid()) {
Contacts.insert(contact);
} else {
throw new Meteor.Error('Invalid contact object.');
}
},
Next, you need to call the contacts.insert method in add-contact-page.js. You need to replace the insert call on the Contacts collection with a call to the ‘contacts.insert’ method, and provide a callback method that runs when the method completes. Again, this is a little complicated the first time, so here’s example code:
Meteor.call('contacts.insert', newContact, (err) => {
if (!err) {
instance.messageFlags.set(displayErrorMessages, false);
FlowRouter.go('Home_Page');
}
});
Now check to see that you can add a new Contact successfully.
Verify that the owner field is added to the updatedContact object in edit-contact-page.js. (This was not shown in Digits 7.)
Create a contacts.update method and invoke it within edit-contact-page.js. Note that this method must be passed thethe ID of the Contact to be updated as well as the object containing the updated values. Use Destructured parameters to accomplish this easily.
Test that Contacts can now be updated successfully.
Once you’ve finished, commit your changes to GitHub, and check to see that your changes are there.
Stop your timer and record your time. Be sure to record it, because you will need your WOD time data when you write your technical essay.
Rx: <23 min Av: 23-30 min Sd: 30-35 min DNF: 35+ min
You can watch this before doing the WOD if you like:
If you want to try this WOD again, just commit your branch, then switch to the master branch to reset your system to its state at the end of the first Digits experience. Then create a new branch called multiuser-2 and start over.
This WOD does not need to be submitted. It is just for review purposes.