If you turn autopublish off. How tamper proof and secure is the client side

Question

0

Asked: June 9, 20262026-06-09T00:19:17+00:00 2026-06-09T00:19:17+00:00

If you turn autopublish off. How tamper proof and secure is the client side

0

If you turn autopublish off. How tamper proof and secure is the client side Meteor.users collection?

My experiments have shown it to be tamper proof. I have tried client side scripting on the console to insert, update and remove and get 403 errors.

For example you can try this, use one of your users collection ids and then $push something or $set something. You can also try remove and inserts too.

Meteor.users.update({_id: "72277b27-3a53-4aa3-82b7-fb096060a8dc"}, {$set: {foo:'bar'}})

or

Meteor.users.insert({this:'that'})

or

Meteor.users.remove({_id: "72277b27-3a53-4aa3-82b7-fb096060a8dc"})

and you should get a 403 on all of these.

But how tamper proof and secure is it?

Thanks
Steeve

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-06-09T00:19:21+00:00

Editorial Team

2026-06-09T00:19:21+00:00Added an answer on June 9, 2026 at 12:19 am

Seeing as Meteor.users is fresh on the auth branch and not part of an official release, I’d consider it bleeding-edge with the possibility of bugs (which you should report if you find, by the way).

That being said, it appears to be designed with the goal of being tamper-proof and secure, given that it’s part of an authentication system.

0

Reply
Share
Share

- Report

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

If you turn autopublish off. How tamper proof and secure is the client side

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply