[tracker1]

I think that Meteor is pretty awesome, but it isn't good for a lot of use cases out of the box... If you need really granular and flexible security around your models, the out of the box security isn't (or wasn't last I checked) good enough.

Common case.. GROUP_A users can read/write their own documents, but only read other user's documents in that group... GROUP_B can read/write their own documents as well as all documents owned by users in GROUP_A. This is a pretty typical scenario for management chain permissions, but when I've looked ad Meteor and similar solutions it wasn't an option (or incredibly difficult to implement).

[primigenus]

At a high level, what you're describing is pretty straightforward to implement. You just publish the data a user has access to read, and you use allow/deny rules to determine which they can write to.

You should take a look at the Roles package: https://github.com/alanning/meteor-roles

I recommend taking another look at Meteor's security because although it's different to other platforms, different doesn't mean inferior. It's actually very powerful and simple once you get the hang of it.

[tracker1]

Cool... as I admitted it's been a long while since I've looked at implementations... last I looked, if you opened your Meteor server to the (html/web) client, the client could do nasty things to your backend database, or you had to implement some complicated and/or not very flexible permissions... I'm glad to see that this has changed.

[lourd]

This is more of a data modeling and permissions question, more dependent on the database choice rather than the framework I'd say. Since Meteor only supports Mongo right now, I'll use Mongo terms (collections & documents)

Meteor gives you an accounts collection so you don't have to declare it yourself. But we do need to declare the Groups Collection

    Groups = new Mongo.Collection('groups');

Let's assume we want Users and Groups to have a many to many relation, so each User doc has an attribute `groups`. `groups` is an array of which each element is the unique id of a Group document. Similarly, Group documents have an attribute `members`, an array of which each element is a User document unique id.

There is a third Collection needed, documents.

    Documents = new Mongo.Collection('documents');

Each document in the Documents Collection has an `owner` field that is the unique id of a Group document.

To handle the security for inserting or updating the Documents Collection, you need to set 2 allow rules on the Collection to check if the document.owner is in the user.groups array.

    Documents.allow({
      insert: function(userId, doc) {
        // doc's owner must be one of logged in user's groups
        return Meteor.user().groups.indexOf(doc.owner) > -1;
      },
      update: function(userId, doc, field, modifier) {
        return Meteor.user().groups.indexOf(doc.owner) > -1;
      }
    }

As for reading the document, you do that when declaring your Publications. Easiest would be to publish all of them, but you could also pass in a groupId or array of groupIds if you wanted to have some restrictions.

    Meteor.publish("documents", function() {
      return Documents.find();
    };

[uptownJimmy]

I am not a hater, quite the contrary. I've messed around with Meteor just a bit, and loved it. But I cannot get my head around one thing: why in the world would anyone actually choose to use MongoDB over Postgres or MySQL ?Is there actually a use case where a NoSQL db would be as good or preferable? Or is it really all just a matter of people being intimidated by SQL? Because everything informed and trustworthy that I read on the subject says that NoSQL is simply not robust enough for doing anything more complicated than storing a list of names and email addresses for a simple user forum. That ain't gonna cut it for most apps.

[lourd]

My web development experience started with Rails, Postgres, and SQLite about 16 months ago and starting using Meteor about 10 months ago. In the handful of Rails apps I made, all of my interactions with the database were done through Active Record; I was an abstraction away from any SQL queries. I declared my relationships and got the data I wanted with simple `object.attribute` syntax.

In Mongo, I do the same thing but without an ORM. I declare objects and insert them. If I want relationships between collections I have to declare them myself, but that's just declaring some foreign key fields. I denormalize my data model in some places so I don't have to do that too often, though. And Meteor gives me this interface on the client as well — that along with data reactivity and a pub-sub architecture is a lot of fun to build with.

I've seen a lot of hate for Mongo and I'm not sure why. SQL and NoSQL databases are both capable of doing the same thing, they just have different use cases that they excel at. This video (https://www.youtube.com/watch?v=rRoy6I4gKWU) is the clearest talk I've seen explaining their differences, and having watched that I'm unsure of why people are so rabidly for or against each type of database.

[eatmyshorts]

Remember that Meteor only just reached v1.0. There still is much to come from the platform. Redis support is being implemented currently, and shows great promise: https://groups.google.com/forum/m/#!topic/meteor-core/Jl5Jt7... Several people are working to integrate standard SQL support, too: https://github.com/numtel/meteor-mysql http://www.lshift.net/blog/2013/02/25/live-updates-to-meteor...

It was a big concern at first for me, too. But the platform is so much fun to develop with I decided to start developing with it anyways. Seeing the pace at which things are developing with the platform, and knowing about these non-Mongo data store efforts, I am certain that this won't be a drawback for the platform for very long.

[achipa]

AFAIK The reactive part is not that easy to with Mysql et al - sure, you can hack around stored procedures, UDF and such, but it's far from being elegant. If you "think in SQL", then of course nosql seems to make everything difficult, but in reality, you're just taking back some of the logic and heavy lifting from the DB server in exchange for more freedom/scalability, which may or may not be something you want.

[uptownJimmy]

Thanks to all for the intelligent replies.

I 'think SQL' all day, or at least a simple subset of it, and I need to learn more. It's paying my bills as a .NET/JavaScipt dev, you know? I'd like to integrate it into my hobby projects. But I'm gonna watch that video linked above and see what it sells me. I certainly don't have any innate resistance to thinking of data as (basically) JSON arrays. I love that. We use that sorta stuff all the time at work, passing data back and forth, to and from the core client JavaScript functions.

I just can't shake the notion that NoSQL is so popular because SQL just is NOT. And I get that: SQL is freaking complicated once you get to the parts that make it so powerful. But maybe that's all a misunderstanding on my part.

[tracker1]

How does your example prevent someone with access to your meteor server from bypassing your custom permissions? My understanding is the code in question runs on the client.

[kazagistar]

I think the code runs in both places. In the client, it describes the messages it will send, and in the server, it describes the messages to expect. So the server still verifies that the database requests are only permitted ones.

[achipa]

There is no difference compared to a web page - the permissions are still handled server-side, I'm just relaying the events via DDP.