onBeforeRemove is never called on remove() - so every user can delete files

[derwok]

Maybe I have a misunderstanding, what onBeforeRemove is intended for?

See my implemenation below... I never see the log message from onBeforeRemove - neither on server, nor on client side. Also files are successfully removed, though I always return "false" from onBeforeRemove.

I use the collection like so:

export let AttachmentsCollection = new FilesCollection({
    collectionName: 'AttachmentsCollection',
    allowClientCode: false, // Disallow attachments remove() call from clients
    storagePath: "myPath"
    onBeforeRemove: function (file) {
        console.log("onBeforeRemove:",file.name);
        return false;
    }

------------------
Meteor.methods({
    'attachments.remove'(attachmentID) {
        if (Meteor.isServer && attachmentID) {
            AttachmentsCollection.remove({_id: attachmentID}, function (error) {
                if (error) {
                    console.error("File "+ attachmentID + " wasn't removed, error: " + error.reason)
                } else {
                    console.info("File "+ attachmentID + " successfully removed");
                }
            });
        }
    }
});
---------------------
    "click #btnDelAttachment": function (evt, tmpl) {
        console.log("Remove Attachment: "+this._id);
        Meteor.call("attachments.remove", this._id);
    },

Sure, I can pull the "deny-test" into my method.
This workaround is OK for me.
But I wanted to report my obervation anyhow...
Maybe I got the idea behind onBeforeRemove wrong?

[dr-dimitru]

Hi thank you for report.
Need to test on my end, I'll be back with results

[dr-dimitru]

See my implemenation below... I never see the log message from onBeforeRemove - neither on server, nor on client side.

onBeforeRemove is Server only hook

I've run tests. You're right onBeforeRemove is not called if you call .remove() from server (trusted side).

This have be done only to protect code from Client as untrusted side.

Do you think onBeforeRemove should be called and behave the same way when .remove() called on both Client and Server?

[derwok]

Hi,
thanks for checking this one out.

Yes, I think this method should be called an server before anything gets removed. Because in this hook one can check for user's rights to do so. These checks are only meaningful on serverside. And to my knowledge the onBeforeUpload - for example works this way (e.g. check for acces rights on server side) .

So, to make the API more consistent, I would suggest that onBeforeRemove gets called server-side exactly as onBeforeUpload is already called as of today.

By the way: The API doc currently states, that onBeforeRemove() is already SERVERSIDE. See here:
https://github.com/VeliovGroup/Meteor-Files/wiki/Constructor

[dr-dimitru]

@derwok ,

The thing here is no way to define a user, when .remove() called from server.
Unlike method call from Client where user is bounded to the thread, Server has no user state.

Wouldn't it be useless without info about user? Moreover it may cause false denies on .remove() calls

[derwok]

OK. You're right.
But then API doc of onBeforeRemove is misleading wrong here:
https://github.com/VeliovGroup/Meteor-Files/wiki/Constructor

[dr-dimitru]

Note added in a49dcd3

[derwok]

constructor.md, on line 527: "Server" should be corrected to "Client"