2

This question builds on a previous one (see here).

The dynamic subscription is set up with this code (slightly modified from the previous question):

Meteor.startup(function(){
  Meteor.subscribe('parents');

  Deps.autorun(function() {
    parent = Parents.findOne({ _id: Session.get('parentId') });
    if (!parent) return;
    Meteor.subscribe('kids', parent);
  });
});

The problem is that the server side must trust the parent object that is passed by the client. Ideally, one would want to pass only the _id of the parent object like this:

  Deps.autorun(function() {
    parentId = Session.get('parentId');
    if (!parentId) return;
    Meteor.subscribe('kids', parentId);
  });

But, in this case, the dynamic subscription behavior breaks (e.g., the kids collection is not updated on the client when the parent's children array is updated).

Why is Session.get('parentId') less reactive than Parents.findOne({ _id: Session.get('parentId') }), or has this to do with Meteor.subscribe('kids', parent) vs. Meteor.subscribe('kids', parentId)?

What would be the best pattern to coding this right?

4

1 回答 1

0

看起来您想要做的是以下内容:

Deps.autorun(function() {
    parent = Parents.findOne({ _id: Session.get('parentId') }, {fields: {_id: 1}});
    if (!parent) return;
    Meteor.subscribe('kids', parent._id);
});

但是,这仍然不完全安全。它只是Parents在尝试订阅之前检查集合以确保引用的 Session 变量存在 - 这取决于parents订阅。如果您希望它得到适当的保护,您将不希望将parent订阅中的任何父母发送给客户,如果客户不应该看到他们。

于 2014-06-24T19:42:44.313 回答