Updating Meteor.users

Question

I've created a form for users to update their profiles. When I submit the form I'm receiving a [403] error.

Not permitted. Untrusted code may only update documents by ID.

My question is, if I'm going to use Meteor.users.allow, where - in what file/directory - do I write this code?

Thanks, Nathan

Answer 1

The error you're getting is not a result of your allow/deny rules. You would get a straight 'Access Denied' error if it were.

When updating your users (as well as having the correct allow rules in place) you need to update your user by their _id- especially if they are being updated on the client end.

So instead of

Meteor.users.update({name: "etc"}, {$set:..});

You need to split it in two, one to get the _id and then one to update your document on that.

var user = Meteor.users.findOne({name: 'etc'});

Meteor.users.update({_id: user._id}, {$set:..});

The rule is on the client you can only use _id to find the document when updating.