First of all, really like the tutorial, gave me a great sense of what a Meteor app would look like and how it would work!
As an extension though, I was wondering if this tutorial could incorporate a discussion on how to secure a Meteor app. It seems to me that in the "Client" code section, we get a reference to a Mongo collection without any explicit permission required from the server. Is the security model that we can get access to any collection created with the "new Meteor.collection" command on the server side? How would we go about validating new inputs and removals from clients modifying the points collection? I think examples and a discussion of these questions would really help this tutorial and help to assage any concerns that people like me get from exposing a raw DB collection to the client.
I also was wondering if Meteor had any easy built-in provisions for offline/unreliable connection modes when you wouldn't be able to rely on a "points.insert({})" call on the client side until connectivity returned?
(apologies if these are super basic Meteor questions - I haven't done anything with the framework, so I don't have much experience with it, but I really liked the straight-forwardness of this tutorial, and these were my natural next questions after reading the tutorial).
I'm not the OP, but I did write the article. I'm probably going to write a follow up addressing getting started with security. Meteor's security is pretty good now, but it was a little too verbose for a short demo. Basically, on the server side, you publish exactly the set of documents a specific client/user will receive. You can also whitelist/blacklist specific behaviors with allow/deny.
I followed your tutorial and got briefly hung up by an error saying that Canvas wasn't defined. Turns out I was running it on the newest version of Meteor, and in 0.6 they started putting local variables at the top level in an IIFE. Functions declared using the named function syntax (function name() { ... }) are locally scoped, as far as I know. I fixed it by changing it to Canvas = function() { ... }.
Other than that small problem, cool article, thanks!
As an extension though, I was wondering if this tutorial could incorporate a discussion on how to secure a Meteor app. It seems to me that in the "Client" code section, we get a reference to a Mongo collection without any explicit permission required from the server. Is the security model that we can get access to any collection created with the "new Meteor.collection" command on the server side? How would we go about validating new inputs and removals from clients modifying the points collection? I think examples and a discussion of these questions would really help this tutorial and help to assage any concerns that people like me get from exposing a raw DB collection to the client.
I also was wondering if Meteor had any easy built-in provisions for offline/unreliable connection modes when you wouldn't be able to rely on a "points.insert({})" call on the client side until connectivity returned?
(apologies if these are super basic Meteor questions - I haven't done anything with the framework, so I don't have much experience with it, but I really liked the straight-forwardness of this tutorial, and these were my natural next questions after reading the tutorial).