Restricting database updates
Until now, we simply added the insert and update functionality to our editPost template. However, anybody can insert and update data if they just type an insert statement into their browser's console.
To prevent this, we need to properly check for insertion and update rights on the server side before updating the database.
Meteor's collections come with the allow and deny functions, which will be run before every insertion or update to determine whether the action is allowed or not.
The allow rules let us allow certain documents or fields to be updated, whereas the deny rules overwrite any allow rules and definitely deny any action on its collection.
To make this more visible, let's visualize an example where we define two allow rules; one will allow certain documents' title fields to be changed and another will allow only editing of the description fields, but an additional deny rule can prevent one specific document to be edited in any case.
