From 274f7e35b2f86393e91ef8da9095073997c26aa2 Mon Sep 17 00:00:00 2001 From: Nick Martin Date: Mon, 15 Apr 2013 10:44:46 -0700 Subject: [PATCH] Comment on issue #828 --- packages/accounts-base/accounts_common.js | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/packages/accounts-base/accounts_common.js b/packages/accounts-base/accounts_common.js index 67c83755f5..bf2f2328f2 100644 --- a/packages/accounts-base/accounts_common.js +++ b/packages/accounts-base/accounts_common.js @@ -8,6 +8,12 @@ if (!Accounts._options) { // Set up config for the accounts system. Call this on both the client // and the server. // +// XXX we should add some enforcement that this is called on both the +// client and the server. Otherwise, a user can +// 'forbidClientAccountCreation' only on the client and while it looks +// like their app is secure, the server will still accept createUser +// calls. https://github.com/meteor/meteor/issues/828 +// // @param options {Object} an object with fields: // - sendVerificationEmail {Boolean} // Send email address verification emails to new users created from