Say I’m using a Method to update a document, and I want to validate that only the owner of the document can update it (something like myDoc.owner == Meteor.userId() ), where would it be best practice to place this validation?
In the Method itself or in allow/deny rules? or it’s good in both cases?
I like to think of allow/deny rules as just a general switch for DB modification in the client side, and of Methods as where this type of logic should go, but I’m not sure if that’s the best approach.