It worries me that security is still not a big part of this. I hope most people don't miss the fact that it's simple because it's insecure? Good luck to them solving it without ruining what's a nice idea.
Eh, that issue is not really an issue. Server-side functions are actually a surprisingly elegant way of handling security. Basically, instead of calling Users.remove({}), .insert(), .update(), etc., you create functions on the server that are called from the client. That way, the server controls what you can and can't edit. The end result is still very simple, because you're just calling functions like user_login(), send_message(), etc. instead of operating on the database directly on the client-side.
According to the FAQ they're still working on a built-in user authentication.
If you have to implement a separate, server-side CRUD security check by hand, then I don't see why I would choose Meteor over say Rails or Express plus Backbone.
You wouldn't get. I use backbone every day for my main job, and it's a great tool. Just imagine when frameworks like Meteor are complete and you can minimize a bunch of your boilerplate code.
Yep all are effective. Security is something meteor is currently developing and is in very early stages. To shit on them now, when they are still in active development of a product they don't even claim is production ready... is like punching babies in the face. It is completely worthless.
Having used Meteor for a few weeks, I'm always impressed with how much time it is saving me.
One of the unfortunate things about Meteor at the moment is there aren't many open projects to learn from. For others trying to gain insights to best practices through this projects, here are some suggestions I may offer:
Just for a quick update. I have made a few commits to address the security problems people noted below. You can no longer reset any collections from the client, or spoof messages from a different user. If people still see issues in the code, you can let me know and I can patch those up too. =)
Agreed, timestamps are all handled by the server now. No more trusting clients. Also keep in mind this was pushed to HN about 2 hours after development started.
Yeah because it is a tech demo, not a shippable product. There is a huge difference. Sometimes people want to get their feet wet and just play with something. They offer others a chance to follow their commits, and see where the product evolves. This leads to better knowledge sharing, and finding like minded people in the community. Your nick really doesn't reflect your personality in this thread.
Sample, in your console type:
Messages.remove({})
or
Users.remove({})