

Build Your First Meteor App And Discover Your Inner Artist - qiqing
http://www.ripariandata.com/blog/real-time-multiuser-drawing-with-meteor

======
bencpeters
First of all, really like the tutorial, gave me a great sense of what a Meteor
app would look like and how it would work!

As an extension though, I was wondering if this tutorial could incorporate a
discussion on how to secure a Meteor app. It seems to me that in the "Client"
code section, we get a reference to a Mongo collection without any explicit
permission required from the server. Is the security model that we can get
access to any collection created with the "new Meteor.collection" command on
the server side? How would we go about validating new inputs and removals from
clients modifying the points collection? I think examples and a discussion of
these questions would really help this tutorial and help to assage any
concerns that people like me get from exposing a raw DB collection to the
client.

I also was wondering if Meteor had any easy built-in provisions for
offline/unreliable connection modes when you wouldn't be able to rely on a
"points.insert({})" call on the client side until connectivity returned?

(apologies if these are super basic Meteor questions - I haven't done anything
with the framework, so I don't have much experience with it, but I really
liked the straight-forwardness of this tutorial, and these were my natural
next questions after reading the tutorial).

~~~
nwm
I'm not the OP, but I did write the article. I'm probably going to write a
follow up addressing getting started with security. Meteor's security is
pretty good now, but it was a little too verbose for a short demo. Basically,
on the server side, you publish exactly the set of documents a specific
client/user will receive. You can also whitelist/blacklist specific behaviors
with allow/deny.

~~~
djoes
I followed your tutorial and got briefly hung up by an error saying that
Canvas wasn't defined. Turns out I was running it on the newest version of
Meteor, and in 0.6 they started putting local variables at the top level in an
IIFE. Functions declared using the named function syntax (function name() {
... }) are locally scoped, as far as I know. I fixed it by changing it to
Canvas = function() { ... }.

Other than that small problem, cool article, thanks!

~~~
nwm
Hey, nice catch! I've updated the code for 0.6.0. I'll update the readme
later, as meteor now includes better package management.

