The .ifLoggedIn() method this means that for example only the logged in user can create a post, so if I'm logged in I can create my own post or edit my own post no one else can is that correct?

It means anyone who is logged in can do that. You'd have to combine with a custom isPostOwner or something if you want to differentiate among specific logged in users.

Would you have an example for "isPostOwner" or is that just a simple allow / deny function?

Thanks for the quick reply

Never mind I see it

Security.defineMethod("ifIsCurrentUser", {
fetch: [],
transform: null,
deny: function (type, arg, userId, doc) {
return userId !== doc._id;
}
});

Yep!

Just to make sure I'm doing it correctly and understand this I first define the method and run a check so for example here only the current user can insert a post is that correct

// Posts
// Custom security method
Security.defineMethod("isCurrentUser", {
fetch: [],
transform: null,
deny: function (type, arg, userId, doc) {
return userId !== doc._id;
}
});

Posts.permit('insert').isCurrentUser().apply();

And for edit I can just chain it
Posts.permit('insert', 'update').isCurrentUser().apply();

In the deny function, doc is the post, so you should be comparing to something like doc.userId or doc.author instead of doc._id.

Also it should be fetch: ['author'] or whatever the property is called so that you are able to check it for updates.

Assuming that is fetching and checking the correct property, then Posts.permit('insert', 'update').isCurrentUser().apply(); means "A user can insert a post from a client if they set themselves as the author" and "A user can update a post from a client if they are currently set as the author."

@aldeed ok I think I understand everything and how the checks are done what I don't understand is now how I call the check in my collection update meteor method

I have server / security.js

Security.defineMethod("ownsDocument", {
    fetch: ['posterId'],
    transform: null,
    deny: function (type, arg, posterId, doc) {
        return posterId !== doc.posterId;
    }
});

Posts.permit('insert', 'update').ownsDocument().apply();

now I need to run the check when I update my meteor, I tried doing the following in meteor method postUpdate

if(!Posts.ownsDocument){
            throw new Meteor.Error(403, mf('accessDenied', 'Access denied'));
}

I'm sure I'm missing something simple

Checking in methods isn't supported yet, though I'd like to add some functions for that soon. Currently this is just for security of inserts, updates, and removes done in client code, i.e., it is a replacement for allow/deny syntax.

Although you could check out https://github.com/DispatchMe/Meteor-run-as-user. If you wrap your method code in Meteor.runAsRestrictedUser, it will check the security for any writes you attempt within, and throw appropriate errors.

I see, yea I'm not doing any insert, updates or removes on the client I'm doing everything via meteor methods not sure there is any real value in doing it on the client. I guess I'm going to have to use allow / deny syntax anyways if I want to do it inside a method

Is there any plans to offer this on the server?

I have an enhancement for server-side use almost done. I'll try to wrap it up and publish it this week.

Great package, aldeed! The documentation in this issue was super helpful to me. My two cents: other users might find it more easily in the main package documentation. Thanks again.

Server side support added by 4a4c0ba in 1.3.0. See Readme.

@discdiver also put some of this info into readme.