In Meteor 0.5.8 the following change was introduced:
Calls to the update and remove collection functions in untrusted code may no longer use arbitra
From the Meteor blog:
Changes to allow/deny rules
Starting in 0.5.8, client-only code such as event handlers may only update or remove a single document at a time, specified by _id. Method code can still use arbitrary Mongo selectors to manipulate any number of documents at once. To run complex updates from an event handler, just define a method with Meteor.methods and call it from the event handler.
This change significantly simplifies the allow/deny API, encourages better application structure, avoids a potential DoS attack in which an attacker could force the server to do a lot of work to determine if an operation is authorized, and fixes the security issue reported by @jan-glx.
To update your code, change your allow and deny handlers to take a single document rather than an array of documents. This should significantly simplify your code. Also check to see if you have any update or remove calls in your event handlers that use Mongo selectors (this is quite rare), and if so, move them into methods. For details, see the update and remove docs.
So basically, from my point of view, you almost never want the behavior to be able to update and delete arbitrary sets of documents from the client without any more specific knowledge (like the id of the document).
When prototyping—which I'm guessing is what you're doing—I suppose it can get in the way, but then if you ever want to get your code into production, I believe the pros outweigh the cons. This also comes down to the security declarations (allow
and deny
) being easier to specify after this change.
Hope that gave you some more information.