When trying to prevent updates on several properties of an object, found that properties inside properties is not working like in the following example:

Security.permit(['update']).collections([Meteor.users]).exceptProps(['profile.wallet', 'roles']).apply()

'roles' works as expected but 'profile.wallet' does not work, if I try with 'profile' it just works fine, but I have the need of letting other properties of 'profile' to be permited to update but not 'profile.wallet'.

I'm doing something wrong?
Is there any workaround?
Juan.

The short term fix, was to simply change the property 'profile.wallet' to 'wallet', but would be nice to make it work with subproperties.

Only top level properties are currently supported. It might not be easily possible to be more granular because that's all Meteor gives us.

@jbernab For this exact reason, and because it would introduce too much complexity, I'm currently falling back to

• denying any inserts and updates to any subdocument or subarray fields
• using Meteor.methods for more fine-grained control on anything that pertains to subdocuments and subarrays.

Nice, letting this clear on the docs may do the trick. Thanks!