I'm developing a simple application using Meteor to learn the framework. I'm using the accounts-password package which incorporates the accounts-base package.
User's will create an account and their email address will serve as their username for login in. This all works perfectly fine as intended. Now I want to take this to the next level.
I want to have the ability to temporarily ban a user for a temporary set period of time - let's say a week.
Is this functionality possible using the accounts-password package or is there another package that exists which will accomplish this functionality? Otherwise how can I implement this functionality on my own?
How about using something like isBanned flag in the users collection against each user? That way, you check for this flag before logging the user in. You could further extend this by having a date field when the ban was applied and later have a way to calculate the elapsed time to see if the ban can be auto-lifted.
db.users.findOne()
{
[...]
"username" : "superadmin",
"profile" : {
"isActive" : true,
"createdBy" : "system",
// is this user banned?
"isBanned" : false,
"updatedAt" : ISODate("2016-10-07T17:33:42.773Z"),
"loginTime" : ISODate("2016-10-07T17:25:44.068Z"),
"logoutTime" : ISODate("2016-10-07T17:33:42.660Z")
},
"roles" : [
"superAdmin"
]
}
Your login form events could be like:
Template.loginForm.events({
'submit #login-form': function(event,template){
event.preventDefault();
// Check for isBanned flag
if(Meteor.users.find({username: template.find("#userName").value,isBanned: false}) {
Meteor.loginWithPassword(
template.find("#userName").value,
template.find("#password").value,
function(error) {
if (error) {
// Display the login error to the user however you want
console.log("Error logging in. Error is: " + error);
Session.set('loginErrorMessage', error.message);
Router.go('/');
}
}
);
Meteor.call('updateLoginTime');
Router.go('loggedIn');
},
}
Related
I'm using mrt/accounts-stripe package to connect users' Stripe account to create transfers (payouts) to their account.
Basically what I've done so far, is to let the users login or create the account in my platform (even if it's not a Stripe one) and allow them to login via stripe to connect the account and let them receiving money from my service.
The problem is that once called the Meteor.loginWithStripe function of the package, it performs a logout and a login with the Stripe email and I don't want this kind of situation as it must keep the user's informations and connect the account instead of create a new one.
I'm using also these packages
accounts-ui
accounts-oauth
client side
Meteor.loginWithStripe({
stripe_landing: 'login',
scope : "read_write"
}, function (err) {
if (err){
console.log('stripe error : ' + err);
} else {
console.log('NO ERROR ON LOGIN');
}
});
startup and settings
ServiceConfiguration.configurations.upsert({ service: 'stripe' },{
$set: {
service: 'stripe',
appId: stripeAppId ,
secret: stripeSecret,
scope: 'read_write',
stripe_landing : "login"
}
});
How to keep the logged user and connect the Stripe account instead of logout and login with the Stripe account user infos?
The solution was just to add the accounts-meld package to the meteor project
I'm testing some forms in a Meteor application using Mocha. The routes in the application are authenticated, so only logged in users or users who have a role of 'administrator' can view them.
When the test opens the browser to view the url and fill the form in, it gets redirected to the login page as expected.
Is there a way to automatically log the user in before doing the test so I don't have to remove the route authentication?
Here's the test code so far
describe( 'Create a Client', function() {
it( 'should create a new client #watch', function() {
browser.url('http://localhost:3000/dashboard/clients/new')
[...]
});
});
use this:
function login(user) {
browser.url('http://localhost:3000')
browser.executeAsync(function(user, done) {
Meteor.loginWithPassword(user.username, user.password, done)
}, user)
}
// now you can do this:
login({
username: 'someone',
password: 'aSecret'
});
browser.url('http://localhost:3000/dashboard/clients/new')
Note that you need to make sure the user exists first, and for that you can use fixtures.
See here for more info:
https://forums.meteor.com/t/solved-how-can-i-wait-for-before-hooks-to-finish-when-testing-with-chimp-meteor-cucumber/18356/12
I'm using accounts-password package - Meteor.
I code interface for admin.
Admin will create accounts for other user.
Accounts.createUser({
email: "abc#gmail.com",
password : "abc123",
profile: { name: register_name }
});
But after this code executed, my application automatic login with account abc#gmail.com, wich i don't want it
Question
How to create accounts without automatic login?
I read accounts-password source but i dont know how to remove automatic login
I also tried to use Meteor.users.insert function but Accounts.setPassword didn't work..
This is a normal behavior using accounts package, to avoid messing with the source code use a Meteor.method/Meteor.call.
This is a simple example,also you can use the default username filed and not a profile:{name:register_name}.
if(Meteor.isServer){
Meteor.methods({
createUserFromAdmin:function(emai,password,username){
Accounts.createUser({email:email,password:password,username:username})
}
})
}else if(Meteor.isClient){
Template.admin.events({
'click #createAccount':function(){
Meteor.call('createUserFromAdmin',email,password,username,function(err,result){
if(!err){
console.log("a new user just got created")
}else{
console.log("something goes wrong with the following error message " +err.reason )
}
})
}
})
}
With this you can create multiple accounts on the admin template, and keep the autologin behavior on the sign-up template (if you have one)
I am using the 'accounts-base' and 'accounts-password' packages and the Accounts.createUser method to create users from a login form (i.e. I am not using the accounts-ui package).
the documentation explains that the user thus created includes a 'services' object
"containing data used by particular login services. For example, its
reset field contains tokens used by forgot password links, and its
resume field contains tokens used to keep you logged in between
sessions."
This is true and accounts created using my login form all have loginTokens. However, when I refresh the browser, these tokens are deleted and the user is logged-out.
The documentation appears to suggest that resume tokens are handled automatically by the accounts-base / accounts-password packages. What have I missed?
Accounts.createUser({
username: username,
email: username,
password: password
}, function (err) {
if (err) {
alert(err)
} else {
Router.go('/member/' + Meteor.userId() +'/edit')
}
});
creates:
"resume" :
{ "loginTokens" :
[
{
"when" : ISODate("2014-04-17T22:13:50.832Z"),
"hashedToken" : "KstqsW9aHqlw6pjfyQcO6jbGCiCiW3LGAXJaVS9fQ+o="
}
]
}
...but on refresh:
"resume" : { "loginTokens" : [ ] } },
After an exhaustive audit of my code I found that I was (idiotically) invoking the Accounts.logout method outside the confines of the log-out button event. It had somehow become 'orphaned' during an earlier re-factoring of the code
So all my fault.
The only way I have found to delete user accounts in meteor (other than emptying the database with mrt reset), is by actually logging into that specific user account, and deleting the account from the console, using:
Meteor.users.remove('the user id');
But like I said, I need to be logged in as that specific user, and have not been able to find a solution which enables me to delete any user from the db. I'm sure it has something to do with permissions or roles, but I am not sure how to proceed / what is the best solution / how to set an administrative role for a particular user, so that I can delete different user accounts.
You could do
meteor mongo
or
meteor mongo myapp.meteor.com for a deployed app
Then
db.users.remove({_id:<user id>});
I wouldn't recommend it but if you want to delete any user without being logged in from meteor you would need to modify the allow rules. But deleting a user is a very unlikely event hence the above might be the best way to do it.
Anyway if you do want, modify the Meteor.users.allow({remove:function() { return true }); property. See http://docs.meteor.com/#allow. You could add in some custom logic there so it'll only let you do so if you're the admin
I was having trouble doing this on nitrous.io because I couldn't open both Meteor and Mongo. I put:
Meteor.users.remove(' the _id of the user ');
in the isServer section to remove the user.
If anyone is still looking for an answer to this question, I have outlined my solution below.
When I create a new user, I add a field called role in my user document. If I want a user to be able to remove other users from the Meteor.users collection, I give him a role of administrator. If not, I give him a role of member. So, my user document looks something like this -
{
"_id" : ...,
"createdAt" : ...,
"services" : {...},
"username" : "test",
"profile" : {
"name" : "Test Name",
"role" : "administrator"
}
}
On the client, I have a list of users (added using a #each template tag) with a remove button next to each user. A user has to login to see this list. I defined an event handler for the remove button -
'click #remove-user-btn': function () {
Meteor.users.remove({ _id: this._id }, function (error, result) {
if (error) {
console.log("Error removing user: ", error);
} else {
console.log("Number of users removed: " + result);
}
})
}
However, Meteor.users does not allow remove operations from the client by default. So, you have to edit the Meteor.users.allow callback in the server as shown below to allow the users to be removed from the client side. But we need to make sure that only a user with an administrator role is allowed this privilege.
Meteor.users.allow({
remove: function (userId, doc) {
var currentUser, userRole;
currentUser = Meteor.users.findOne({ _id: userId }, { fields: { 'profile.role': 1 } });
userRole = currentUser.profile && currentUser.profile.role;
if (userRole === "administrator" && userId !== doc._id) {
console.log("Access granted. You are an administrator and you are not trying to delete your own document.");
return true;
} else {
console.log("Access denied. You are not an administrator or you are trying to delete your own document.");
return false;
}
},
fetch: []
});
This is the general idea. You can build upon this to suit your needs.
Here are the steps to delete user from mongo through console:
step 1: open new console
step 2: change diretory to your app such as (cd myapp)
step 3 : enter command meteor mongo
step 4: make sure there exists a table called users, db.users.find({});
step 5: find the userid of the user you wish to delete and type :
db.users.remove({_id:"nRXJCC9wTx5x6wSP2"}); // id should be within quotes