In Meteor, we can use the browser console to update data, which means that we can update the database from the client. This works because Meteor automatically syncs these changes to the server and updates the database accordingly.
This happens because we have the
insecure core packages added to our project by default. The
autopublish package automatically publishes all documents to every client, whereas the
insecure package allows every client to update database records by its
_id field. Obviously, this works well for prototyping but is infeasible for production, as every client can manipulate our database.
If we remove the
insecure package, we will need to add "allow and deny" rules to determine what a client ...