为什么 Meteor.user() 在发布函数中不起作用？

Question

主要是出于好奇，同时也是为了更好地了解 Meteor 安全性，Meteor.user() 不能在发布函数内部工作的原因是什么？

Answer 1

原因就在这段代码中（来自meteor源码）

Meteor.user = function () {
    var userId = Meteor.userId();
    if (!userId)
        return null;
        return Meteor.users.findOne(userId);
};
Meteor.userId = function () {
    // This function only works if called inside a method. In theory, it
    // could also be called from publish statements, since they also
    // have a userId associated with them. However, given that publish
    // functions aren't reactive, using any of the infomation from
    // Meteor.user() in a publish function will always use the value
    // from when the function first runs. This is likely not what the
    // user expects. The way to make this work in a publish is to do
    // Meteor.find(this.userId()).observe and recompute when the user
    // record changes.
    var currentInvocation = DDP._CurrentInvocation.get();
    if (!currentInvocation)
        throw new Error("Meteor.userId can only be invoked in method calls. Use   this.userId in publish functions.");
        return currentInvocation.userId;
};