CRUD validation should go in method or in allow/deny rules?

Say I’m using a Method to update a document, and I want to validate that only the owner of the document can update it (something like myDoc.owner == Meteor.userId() ), where would it be best practice to place this validation?

In the Method itself or in allow/deny rules? or it’s good in both cases?

I like to think of allow/deny rules as just a general switch for DB modification in the client side, and of Methods as where this type of logic should go, but I’m not sure if that’s the best approach.

allow/deny is good if it’s simple validation and operations

meteor methods is better if it’s complex operations.

allow/deny is just calling a meteor method implicitly, really

1 Like

Thanks corvid for your response. I wasn’t aware about: