Security Fix

.meteor/packages

@@ -18,7 +18,6 @@ es5-shim@4.6.15                # ECMAScript 5 compatibility for older browsers.
 ecmascript@0.6.3              # Enable ECMAScript2015+ syntax in app code
 shell-server@0.2.2            # Server-side component of the `meteor shell` command
 
-insecure@1.0.7                # Allow all DB writes from clients (for prototyping)
 iron:router
 npm-bcrypt@0.9.2
 stylus@2.513.9

.meteor/versions

@@ -37,7 +37,6 @@ htmljs@1.0.11
 http@1.2.11
 ian:accounts-ui-bootstrap-3@1.2.89
 id-map@1.0.9
-insecure@1.0.7
 iron:controller@1.0.12
 iron:core@1.0.11
 iron:dynamic-template@1.0.12

client/buildSessions/build_list.js

@@ -65,26 +65,21 @@ Template.buildSessionList.events({
     //if you click on a person
     'click li': function() {
         if(Roles.userIsInRole(Meteor.userId(), ['admin'])) {
-            if(this.isAbsent) BuildSessions.update({_id: this.sessionid}, {$pull: {absent: this._id}});
-            else BuildSessions.update({_id: this.sessionid}, {$addToSet: {absent: this._id}});
+            if(this.isAbsent) Meteor.call('adminNotTardy', {sessionId: this.sessionid, userId: this._id});
+            else Meteor.call('adminTardy', {sessionId: this.sessionid, userId: this._id});
         }
     },
     'click .not-coming': function(e) {
         e.preventDefault();
 
         //convert the startime to 24 hour time, make a duration out of that, add it to the start date.
         // var eventstart = moment(this.date.date).add(moment.duration(moment(this.starttime, ["h:mm A"]).format("HH:mm")));
-
-        if(moment(this.start).diff(moment(), 'hours')<this.locktime) {//if it is too late
-            BuildSessions.update({_id: this._id}, {$addToSet: {absent: Meteor.userId()}});
-        } else {
-            BuildSessions.update({_id: this._id}, {$pull: {attend: Meteor.userId()}});
-        }
+        Meteor.call('removeAttend', this._id);
       },
 
     'click .coming': function (e) {
         e.preventDefault();
-        BuildSessions.update({_id: e.target.id}, {$push: {attend: Meteor.userId()}});
+        Meteor.call('attendBuild', this._id);
     },
     'click .delete': function(e) {
         e.preventDefault();
@@ -113,4 +108,4 @@ Template.buildSessionList.events({
             }
         });
     }
-});
+});

server/publications.js

@@ -9,5 +9,5 @@ Meteor.publish(null, function (){
     return Meteor.roles.find();
 })
 Meteor.publish(null, function() {
-    return Meteor.users.find();
-});
+    return Meteor.users.find({}, {fields: {username: 1, _id: 1, profile: 1, roles: 1}});
+});

server/user_methods.js

@@ -61,6 +61,31 @@ Meteor.methods({
         } else {
             Roles.removeUsersFromRoles(e.targetUserId, ['admin']);
         }
+    },
+    attendBuild: function(e) {
+        BuildSessions.update({_id: e}, {$addToSet: {attend: Meteor.userId()}});
+    },
+    removeAttend: function(e) {
+        var session = BuildSessions.findOne({_id: e});
+        if(moment(session.start).diff(moment(), 'hours')<session.locktime) {//if it is too late
+            BuildSessions.update({_id: e}, {$addToSet: {absent: Meteor.userId()}});
+        } else {
+            BuildSessions.update({_id: e}, {$pull: {attend: Meteor.userId()}});
+        }
+
+    },
+    adminTardy: function(e) {
+        var loggedInUser = Meteor.user();
+        if (!loggedInUser || !Roles.userIsInRole(loggedInUser, ['admin'])) {
+            throw new Meteor.Error(403, "Access denied");
+        }
+        BuildSessions.update({_id: e.sessionId}, {$addToSet: {absent: e.userId}});
+    },
+    adminNotTardy: function(e) {
+        var loggedInUser = Meteor.user();
+        if (!loggedInUser || !Roles.userIsInRole(loggedInUser, ['admin'])) {
+            throw new Meteor.Error(403, "Access denied");
+        }
+        BuildSessions.update({_id: e.sessionId}, {$pull: {absent: e.userId}});
     }
-
-});
+});