I've just noticed that .allowInClientCode() applies to all the rules of that type instead of just the rule to which it was chained. So in the following example, somebody with the "user" role will also be able to insert or remove documents for Collection from the client-side, even though the .allowInClientCode() method was only called for the rule concerning the "administrator" role (he still cannot update though):

Collection
  .permit( [ "insert", "update", "remove" ] )
  .ifHasRole( {
    role: "administrator",
  } )
  .allowInClientCode();

Collection
  .permit( [ "insert", "remove" ] )
  .ifHasRole( {
    role: "user",
  } );

Is this by design? If so, maybe it should probably be made clear in the documentation because it definitely caught me by surprise.

This package is no longer being updated or supported by Reaction.