Don't allow clients to call update methods as upserts.

Add test for it. This is a way to avoid the complexity of allow/deny rules for
upserts; for now, if you want to do an upsert, do it in a method.

packages/mongo-livedata/allow_tests.js

@@ -431,6 +431,18 @@ if (Meteor.isClient) {
               test.equal(collection.find({updated: true}).count(), 2);
             }));
         },
+        // upsert not allowed, and has nice error.
+        function (test, expect) {
+          collection.update(
+            {_id: id2},
+            {$set: { upserted: true }},
+            { upsert: true },
+            expect(function (err, res) {
+              test.equal(err.error, 403);
+              test.matches(err.reason, /In a restricted/);
+              test.equal(collection.find({ upserted: true }).count(), 0);
+            }));
+        },
         // update with rename operator not allowed, and has nice error.
         function (test, expect) {
           collection.update(
@@ -778,4 +790,3 @@ if (Meteor.isServer) {
       delete Package.insecure;
   });
 }
-

packages/mongo-livedata/collection.js

@@ -699,9 +699,15 @@ Meteor.Collection.prototype._validatedUpdate = function(
     userId, selector, mutator, options) {
   var self = this;
 
+  options = options || {};
+
   if (!LocalCollection._selectorIsIdPerhapsAsObject(selector))
     throw new Error("validated update should be of a single ID");
 
+  if (options.upsert)
+    throw new Meteor.Error(403, "Access denied. In a restricted collection " +
+                           "you cannot do upserts.");
+
   // compute modified fields
   var fields = [];
   _.each(mutator, function (params, op) {