It doesn’t work because doing mongo operations inside methods bypass the allow rules. You need to do the admin check in the method itself. Read the explanation below the API details: http://docs.meteor.com/#/full/allow
Since the source file is in the lib directory, the methods are executing on both the client. Server and allow/deny rules are not applied for server code.
Also, the parameters on the insert rule are incorrect, should be insert(userId, doc), per docs.
I also want to note that you are trusting the admin value in the post, which is coming from the client (which is inherently untrusted). The admin role should be retrieved from the logged-in user, server-side. This may not be the reason for this specific failure, but it’s worth noting.
As @lal pointed out, the docs are good on these points. Good luck!
That was the exact point of my post! I saw the same exact type of code in my code review, people put in allow/deny rules but then use a method which bypasses allow/deny rules.