From b45a1301e91012257c6f6294cbe509d3c9eca8b4 Mon Sep 17 00:00:00 2001
From: Tom Coleman <tom@thesnail.org>
Date: Mon, 8 Apr 2013 10:09:27 +1000
Subject: [PATCH] Added basic permission to check the post's owner.

chapter8-2
---
 lib/collections/posts.js | 5 +++++
 lib/permissions.js       | 4 ++++
 2 files changed, 9 insertions(+)
 create mode 100644 lib/permissions.js

diff --git a/lib/collections/posts.js b/lib/collections/posts.js
index a7d1e287..06dbada5 100644
--- a/lib/collections/posts.js
+++ b/lib/collections/posts.js
@@ -1,5 +1,10 @@
 Posts = new Mongo.Collection('posts');
 
+Posts.allow({
+  update: function(userId, post) { return ownsDocument(userId, post); },
+  remove: function(userId, post) { return ownsDocument(userId, post); },
+});
+
 Meteor.methods({
   postInsert: function(postAttributes) {
     check(this.userId, String);
diff --git a/lib/permissions.js b/lib/permissions.js
new file mode 100644
index 00000000..fa46a332
--- /dev/null
+++ b/lib/permissions.js
@@ -0,0 +1,4 @@
+// check that the userId specified owns the documents
+ownsDocument = function(userId, doc) {
+  return doc && doc.userId === userId;
+}
\ No newline at end of file