Meteor: publish some user data

Question

I want to publish some limited user information about my users, the idea is that the admin role of my web app can view the emailaddress and username (last one is in the profile data).

Meteor.publish("usersSpecificDataforAdmin", function () {
    return Meteor.users.find({}, {fields: {
        'profile': 1,
        'emails': 1,
        'roles': 1
    }});

}); I'm then subscribing to this in my router:

adminRoutes.route('/users', {
  name: 'adminUsersList',
  subscriptions: function (params, queryParams) {
    this.register('adminUsersList', Meteor.subscribe('usersSpecificDataforAdmin'));
  },
  action: function (params, queryParams) {
    BlazeLayout.render('layout_frontend', {
      top: 'menu',
      main: 'adminUsersList',
      footer: 'footer'
    });
  }
});

In the template, I'm using the following to display the email address of the user: '{{emails.address}}', but that doesn't work. I can display all other info.

I have following questions:

how can I display the email address of the user in the template
even when I don't add the password or services fields in the publishing, it is send to the client (doing Meteor.user()) is revealing all the info, including passwords etc, which is a security issue in my opinion. How can I disable the publication of this?

Michel Floyd Michel Floyd · Accepted Answer · 2015-10-05T20:10:17

Several things:

You don't need to include _id in the list of fields to be published, it is always included
You're publishing allUserData but your router code is subscribing to usersAllforAdmin which you're not showing code for. I suspect that publication is including services
Passwords are not stored anywhere in Meteor, only the bcrypt hash of the password is stored in services
emails is an array, you can't access it with {{emails.address}} in spacebars, instead use {{emails.[0].address}} (reference)

Meteor: publish some user data

1 Answers