Meteor JS - allow/deny rules

Question

In the example app "parties" there is a set of allow/deny rules for Parties collection. The rule for insert looks like this:

Parties.allow({
  insert: function (userId, party) {
    return false; // no cowboy inserts -- use createParty method
  },...

At the same time method createParty, implements Parties.insert({....}) which is somehow not affected by the rules applied to the Parties collection.

.....
return Parties.insert({
      owner: this.userId,
      x: options.x,
      y: options.y,
      title: options.title,
      description: options.description,
      public: !! options.public,
      invited: [],
      rsvps: []
    });
.....

Could someone explain why createParty method is not affected by rules?

Thank you.

Answer 1

The createParty is in Meteor.methods which is run on the server as well as the client's end by calling a Meteor.call('createParties') from the client. On the client it will not insert any data but the method running on the server will insert the party.

Meteors allow and deny rules control what comes from the client's end directly and don't apply for anything running on the server's end.