Access Denied [403] when updating client user accounts in Meteor
I am reading the docs for Meteor here and the useraccounts package here but cannot find an answer. I added the useraccounts package successfully and created some users, but now I want to add some data to the entry in the collection for the given user.
For example after creating an account and logging in. I want the user to be able to add / edit some fields in their post (short bio, etc.), but I keep getting a 403 error on execution Meteor.users.update(..)
.
My login config file can be found here .
Code causing the error:
Template.editProfile.events({
'submit form': function(e) {
e.preventDefault();
var profileInfo = {
displayName: $(e.target).find('[name=displayName]').val(),
tagLine: $(e.target).find('[name=tagLine]').val(),
aboutMe: $(e.target).find('[name=aboutMe]').val()
};
Meteor.users.update(
{ _id: Meteor.userId()},
{ $set: profileInfo},
function (err) {
if(err) {
console.log('there was an error submitting editProfile data');
console.log(err);
} else {
Router.go('profile');
}
}
);
}
});
Executing the console logs shows what is being Meteor.userId()
returned correctly, so I'm not sure what the problem is. I'm guessing it's an allow / deny issue, but I don't even know where to start troubleshooting.
The exact error:
error: 403
errorType: "Meteor.Error"
: "Access Denied [403]"
reason: "Access Denied"
source to share
By removing the package insecure
, client write access will be denied by default. If you want to allow clients to write directly to the collection, you need to define rules.
For example:
Meteor.users.allow({
update: ownsDocument
});
ownsDocument = function (userId, doc) {
return doc && doc.userId === userId;
};
The function ownsDocument()
checks if the specified userId
document has. In addition to postback, update
you can set rules for insert
and remove
.
Learn more about Meteor collection.allow (options) , access the demo app, or clone the repository .
source to share