From 74bcb916b4805e76ca1ca7bd03cb555444d8fe08 Mon Sep 17 00:00:00 2001
From: David Glasser <glasser@meteor.com>
Date: Tue, 6 May 2014 14:11:40 -0700
Subject: [PATCH] Doc and history updates for 4777e64336

---
 History.md           | 6 ++++++
 docs/client/api.html | 4 ++++
 2 files changed, 10 insertions(+)

diff --git a/History.md b/History.md
index 4db84ff7da..67a5409d9e 100644
--- a/History.md
+++ b/History.md
@@ -104,6 +104,12 @@ Patches contributed by GitHub users awwx
   get one with `DDP.randomStream`.
   https://trello.com/c/moiiS2rP/57-pattern-for-creating-multiple-database-records-from-a-method
 
+* The document passed to the `insert` callback of `allow` and `deny` now only
+  has a `_id` field if the client explicitly specified one; this allows you to
+  use `allow`/`deny` rules to prevent clients from specifying their own
+  `_id`. As an exception, `allow`/`deny` rules with a `transform` always have an
+  `_id`.
+
 * DDP now has an implementation of bidirectional heartbeats which is consistent
   across SockJS and websocket transports. This enables connection keepalive and
   allows servers and clients to more consistently and efficiently detect
diff --git a/docs/client/api.html b/docs/client/api.html
index ff1f70e001..08a197dae4 100644
--- a/docs/client/api.html
+++ b/docs/client/api.html
@@ -962,6 +962,10 @@ The available callbacks are:
 {{#dtdd "insert(userId, doc)"}}
 The user `userId` wants to insert the document `doc` into the
 collection. Return `true` if this should be allowed.
+
+`doc` will contain the `_id` field if one was explicitly set by the client, or
+if there is an active `transform`. You can use this to prevent users from
+specifying arbitrary `_id` fields.
 {{/dtdd}}
 
 {{#dtdd "update(userId, doc, fieldNames, modifier)"}}