From 399028eb53b41b5d1bb3cd645bc6f292a35a729d Mon Sep 17 00:00:00 2001
From: Emily Stark <emily@meteor.com>
Date: Wed, 25 Sep 2013 18:13:46 -0700
Subject: [PATCH] Don't allow clients to call update methods as upserts.

Add test for it. This is a way to avoid the complexity of allow/deny rules for
upserts; for now, if you want to do an upsert, do it in a method.
---
 packages/mongo-livedata/allow_tests.js | 13 ++++++++++++-
 packages/mongo-livedata/collection.js  |  6 ++++++
 2 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/packages/mongo-livedata/allow_tests.js b/packages/mongo-livedata/allow_tests.js
index b9c50f97b1..3a085c2ece 100644
--- a/packages/mongo-livedata/allow_tests.js
+++ b/packages/mongo-livedata/allow_tests.js
@@ -431,6 +431,18 @@ if (Meteor.isClient) {
               test.equal(collection.find({updated: true}).count(), 2);
             }));
         },
+        // upsert not allowed, and has nice error.
+        function (test, expect) {
+          collection.update(
+            {_id: id2},
+            {$set: { upserted: true }},
+            { upsert: true },
+            expect(function (err, res) {
+              test.equal(err.error, 403);
+              test.matches(err.reason, /In a restricted/);
+              test.equal(collection.find({ upserted: true }).count(), 0);
+            }));
+        },
         // update with rename operator not allowed, and has nice error.
         function (test, expect) {
           collection.update(
@@ -778,4 +790,3 @@ if (Meteor.isServer) {
       delete Package.insecure;
   });
 }
-
diff --git a/packages/mongo-livedata/collection.js b/packages/mongo-livedata/collection.js
index ffb33545d3..23479ce7bd 100644
--- a/packages/mongo-livedata/collection.js
+++ b/packages/mongo-livedata/collection.js
@@ -699,9 +699,15 @@ Meteor.Collection.prototype._validatedUpdate = function(
     userId, selector, mutator, options) {
   var self = this;
 
+  options = options || {};
+
   if (!LocalCollection._selectorIsIdPerhapsAsObject(selector))
     throw new Error("validated update should be of a single ID");
 
+  if (options.upsert)
+    throw new Meteor.Error(403, "Access denied. In a restricted collection " +
+                           "you cannot do upserts.");
+
   // compute modified fields
   var fields = [];
   _.each(mutator, function (params, op) {