I'm using Meteor to create a web application.
The issue I'm dealing with is that I have a collection named Books, and I want it to be only available to the logged in users, and not for the anonymous users.
This is what I do:
if (Meteor.userId()) Meteor.subscribe('Books');
But this is not the best solution, because anonymous users can still get the Books collection information by opening up their browser console and calling Meteor.subscribe('Books');.
Unfortunately this is the only solution I can think of so far. I've heard of Meteor's allow and deny, but they seem to only affect when users insert, update, or remove on a collection (not preventing users from subscribing to a collection).
You can restrict the subscriptions to logged in users from the server side, as follows:
From Meteor & Security: Setting the Record Straight by Sacha Greif:
Only publish posts if a user is logged in:
Meteor.publish('posts', function() { if(this.userId){ return Posts.find(); } });
In your case you need to change posts to books, properly capitalized to match other code.
This will cause manual attempts to subscribe while anonymous to come up empty.