I have a Meteor application with autopublish removed.
In this app, I want to allow administrators to crud any user, but other users should only be able to update their own. With a simple Meteor.users.allow, the update function never gets called (that I can tell), but if I user Meteor.users.deny and reverse the logic, it works fine.
There is only one Meteor.users.allow function in my app. I can live with using deny, but can anyone tell me what I'm doing wrong with allow?
My allow function, which never logs anything:
console.log("Setting Meteor.users.allow");
Meteor.users.allow({
  insert: function (userId, doc) {
    // only admin can insert 
    var u = Meteor.users.findOne({_id:userId});
    return (u && u.isAdmin);
  },
  update: function (userId, doc, fields, modifier) {
    console.log("user "+userId+"wants to modify doc"+doc._id);
    if (userId && doc._id === userId) {
      console.log("user allowed to modify own account!");
      // user can modify own 
      return true;
    }
    // admin can modify any
    var u = Meteor.users.findOne({_id:userId});
    return (u && u.isAdmin);
  },
  remove: function (userId, doc) {
    // only admin can remove
    var u = Meteor.users.findOne({_id:userId});
    return (u && u.isAdmin);
  }
});
My deny function, which logs and works:
console.log("Setting Meteor.users.deny");
Meteor.users.deny({
  insert: function (userId, doc) {
    // only admin can insert 
    var u = Meteor.users.findOne({_id:userId});
    return !(u && u.isAdmin);
  },
  update: function (userId, doc, fields, modifier) {
    console.log("user "+userId+"wants to modify doc"+doc._id);
    if (userId && doc._id === userId) {
      console.log("user allowed to modify own account!");
      // user can modify own 
      return false;
    }
    // admin can modify any
    var u = Meteor.users.findOne({_id:userId});
    return !(u && u.isAdmin);
  },
  remove: function (userId, doc) {
    // only admin can remove
    var u = Meteor.users.findOne({_id:userId});
    return !(u && u.isAdmin);
  }
});
Did you make sure to put your Meteor.users.allow code in the server?
I was running into the same problem while using an allow in the client and not the server code.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With