Inside methods, this.userId
is the user ID of the user who called the method (or null if they aren't logged in). You can check that, and throw a Meteor.Error
if it's not the admin account.
//update today's topics
Meteor.methods({
todayUpsert: function(id, doc) {
if (!adminUser(this.userId)) {
throw new Meteor.Error(403, "You must be an admin to do that");
}
Today.upsert(id, doc);
}
});
//update reviews
Meteor.methods({
reviewUpsert: function(id, doc) {
if (!this.userId) {
throw new Meteor.Error(403, "You must be logged in to do that");
}
if (Meteor.users.findOne(this.userId).emails[0].verified !== true) {
throw new Meteor.Error(403, "Your email must be verified to do that")
}
var review = Reviews.findOne(id);
if (review && review.owner !== this.userId) {
throw new Meteor.Error(403, "You don't own that review");
}
if (doc.owner !== this.userId) {
throw new Meteor.Error(403, "Cannot create a review for someone else");
// alternatively, just set doc.owner = this.userId
}
Reviews.upsert(id, doc);
}
});