remove server check overrides

app/lib/constants/characterAssetAllowDeny.js

@@ -12,20 +12,19 @@ Meteor.methods({
 
 CHARACTER_SUBSCHEMA_ALLOW = {
 	// the user must be logged in, and the user must be a writer of the character
-	// or we must be the server
 	insert: function(userId, doc) {
 		var char = Characters.findOne(
 			doc.charId,
 			{fields: {owner: 1, writers: 1}}
 		);
-		return (userId && char.owner === userId || _.contains(char.writers, userId) || Meteor.isServer);
+		return (userId && char.owner === userId || _.contains(char.writers, userId));
 	},
 	update: function(userId, doc, fields, modifier) {
 		var char = Characters.findOne(
 			doc.charId,
 			{fields: {owner: 1, writers: 1}}
 		);
-		return (userId && char.owner === userId || _.contains(char.writers, userId) || Meteor.isServer);
+		return (userId && char.owner === userId || _.contains(char.writers, userId));
 	},
 	remove: function(userId, doc) {
 		var char = Characters.findOne(
@@ -33,7 +32,7 @@ CHARACTER_SUBSCHEMA_ALLOW = {
 			{fields: {owner: 1, writers: 1}}
 		);
 		if (!char) return true;
-		return userId && char.owner === userId || _.contains(char.writers, userId) || Meteor.isServer;
+		return userId && char.owner === userId || _.contains(char.writers, userId);
 	},
 	fetch: ["charId"],
 };

app/lib/functions/parenting.js

@@ -132,9 +132,6 @@ makeParent = function(collection, donatedKeys){
 };
 
 var checkPermission = function(userId, charId){
-	if (Meteor.isServer) {  // we always trust server
-		return true;
-	}
 	var char = Characters.findOne(charId, {fields: {owner: 1, writers: 1}});
 	if (!char)
 		throw new Meteor.Error("Access Denied, no charId",