Clarification on where to set meteor.users.allow

I want to let my users edit their own profiles, but only their own profiles.
I’ve got this snippet which I’m pretty sure is correct to allow me to set the permissions.

  ownsDocument(userId, doc) {
      return doc && doc.userId === userId;

    update: this.ownsDocument

This is the update that I’m calling which was working until I removed insecure.

     Meteor.users.update(Meteor.userId(), {
       $set: {
         "data": {
           "teams": teams,
           "currentrole": this.profile.getRole(),
           "userDetail": userDetail,
           "contact1": contact1
     }, () => {

Main issue is where should I place the allow snippet?
I’m using angular2 with ionic2 and meteor

Seems that if i set it to profile instead of data it works fine actually.

By default the users collection allows client side updates to the profile key of each users own user document. This, if you are not aware, is a minor security concern which could allow any user to delete their whole profile, or store a pretty decent amount of arbitrary data in their user document that you don’t expect to be there. I personally recommend setting a deny rule and creating a separate collection to store profiles.

Yea that will probably be the way I end up going closer to production.

I attach schemas to the collection. Should this not prevent at least any user from passing data to the server? Otherwise all they can do is bloat their browser memory…