Added Allow-Deny Rules

rpg-docs/Model/Character/Characters.js

@@ -434,3 +434,52 @@ Characters.before.remove(function (userId, character) {
 		Containers    .remove({charId: character._id});
 	}
 });
+
+Characters.allow({
+	insert: function (userId, doc) {
+		// the user must be logged in, and the document must be owned by the user
+		return (userId && doc.owner === userId);
+	},
+	update: function (userId, doc, fields, modifier) {
+		// can only change documents you have write access to
+		return doc.owner === userId ||
+			_.contains(doc.writers, userId);
+	},
+	remove: function (userId, doc) {
+		// can only remove your own documents
+		return doc.owner === userId;
+	},
+	fetch: ["owner", "writers"]
+});
+
+Characters.deny({
+	update: function (userId, docs, fields, modifier) {
+		// can't change owners
+		return _.contains(fields, 'owner');
+	}
+});
+
+CHARACTER_SUBSCHEMA_ALLOW = {
+	// the user must be logged in, and the user must be a writer of the character
+	insert: function (userId, doc) {
+		var char = Characters.findOne( doc.charId, { fields: {owner: 1, writers: 1} } );
+		return ( userId && char.owner === userId || _.contains(char.writers, userId) );
+	},
+	update: function (userId, doc, fields, modifier) {
+		var char = Characters.findOne( doc.charId, { fields: {owner: 1, writers: 1} } );
+		return ( userId && char.owner === userId || _.contains(char.writers, userId) );
+	},
+	remove: function (userId, doc) {
+		var char = Characters.findOne( doc.charId, { fields: {owner: 1, writers: 1} } );
+		return ( userId && char.owner === userId || _.contains(char.writers, userId) );
+	},
+	fetch: ["charId"]
+};
+
+CHARACTER_SUBSCHEMA_DENY = {
+	update: function (userId, docs, fields, modifier) {
+		// can't change character
+		return _.contains(fields, 'charId');
+	},
+	fetch: ["charId"]
+};