{"version":3,"sources":["meteor://💻app/packages/allow-deny/allow-deny.js"],"names":["hasOwn","Object","prototype","hasOwnProperty","AllowDeny","CollectionPrototype","allow","options","addValidator","deny","_defineMutationMethods","self","_restricted","_insecure","undefined","_validators","insert","update","remove","upsert","fetch","fetchAllFields","_name","_prefix","_connection","Meteor","server","isClient","m","forEach","method","methodName","useExisting","handlerPropName","check","arguments","Match","Any","args","Array","from","generatedId","call","_makeNewID","isSimulation","_id","_collection","apply","throwIfSelectorIsNotId","length","Error","validatedMethodName","charAt","toUpperCase","slice","unshift","userId","push","_isInsecure","e","name","toString","methods","_updateFetch","fields","union","create","add","names","keys","Package","insecure","_validatedInsert","doc","some","validator","docToValidate","every","_validatedUpdate","selector","mutator","assign","LocalCollection","_selectorIsIdPerhapsAsObject","noReplaceError","mutatorKeys","modifiedFields","op","params","ALLOWED_UPDATE_OPERATIONS","field","indexOf","substring","findOptions","transform","fieldName","findOne","factoriedDoc","transformDoc","_forbidReplace","$inc","$set","$unset","$addToSet","$pop","$pullAll","$pull","$pushAll","$push","$bit","_validatedRemove","_callMutatorMethod","callback","alreadyInSimulation","err","_debug","firstArgIsSelector","mutatorMethodName","returnStubValue","ret","EJSON","clone","collection","allowOrDeny","validKeysRegEx","key","test","Function","_transform","wrapTransform","CurrentInvocation","DDP","_CurrentMethodInvocation","_CurrentInvocation","enclosing","get"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;AACA;AACA;AAEA,MAAMA,MAAM,GAAGC,MAAM,CAACC,SAAP,CAAiBC,cAAhC,C,CAEA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AAEAC,SAAS,GAAG;AACVC,qBAAmB,EAAE;AADX,CAAZ,C,CAIA;AACA;;AACA,MAAMA,mBAAmB,GAAGD,SAAS,CAACC,mBAAtC;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AACAA,mBAAmB,CAACC,KAApB,GAA4B,UAASC,OAAT,EAAkB;AAC5CC,cAAY,CAAC,IAAD,EAAO,OAAP,EAAgBD,OAAhB,CAAZ;AACD,CAFD;AAIA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;;AACAF,mBAAmB,CAACI,IAApB,GAA2B,UAASF,OAAT,EAAkB;AAC3CC,cAAY,CAAC,IAAD,EAAO,MAAP,EAAeD,OAAf,CAAZ;AACD,CAFD;;AAIAF,mBAAmB,CAACK,sBAApB,GAA6C,UAASH,OAAT,EAAkB;AAC7D,QAAMI,IAAI,GAAG,IAAb;AACAJ,SAAO,GAAGA,OAAO,IAAI,EAArB,CAF6D,CAI7D;AACA;;AACAI,MAAI,CAACC,WAAL,GAAmB,KAAnB,CAN6D,CAQ7D;AACA;AACA;AACA;;AACAD,MAAI,CAACE,SAAL,GAAiBC,SAAjB;AAEAH,MAAI,CAACI,WAAL,GAAmB;AACjBC,UAAM,EAAE;AAACV,WAAK,EAAE,EAAR;AAAYG,UAAI,EAAE;AAAlB,KADS;AAEjBQ,UAAM,EAAE;AAACX,WAAK,EAAE,EAAR;AAAYG,UAAI,EAAE;AAAlB,KAFS;AAGjBS,UAAM,EAAE;AAACZ,WAAK,EAAE,EAAR;AAAYG,UAAI,EAAE;AAAlB,KAHS;AAIjBU,UAAM,EAAE;AAACb,WAAK,EAAE,EAAR;AAAYG,UAAI,EAAE;AAAlB,KAJS;AAIc;AAC/BW,SAAK,EAAE,EALU;AAMjBC,kBAAc,EAAE;AANC,GAAnB;AASA,MAAI,CAACV,IAAI,CAACW,KAAV,EACE,OAxB2D,CAwBnD;AAEV;AACA;;AACAX,MAAI,CAACY,OAAL,GAAe,MAAMZ,IAAI,CAACW,KAAX,GAAmB,GAAlC,CA5B6D,CA8B7D;AACA;AACA;AACA;AACA;;AACA,MAAIX,IAAI,CAACa,WAAL,KAAqBb,IAAI,CAACa,WAAL,KAAqBC,MAAM,CAACC,MAA5B,IAAsCD,MAAM,CAACE,QAAlE,CAAJ,EAAiF;AAC/E,UAAMC,CAAC,GAAG,EAAV;AAEA,KAAC,QAAD,EAAW,QAAX,EAAqB,QAArB,EAA+BC,OAA/B,CAAwCC,MAAD,IAAY;AACjD,YAAMC,UAAU,GAAGpB,IAAI,CAACY,OAAL,GAAeO,MAAlC;;AAEA,UAAIvB,OAAO,CAACyB,WAAZ,EAAyB;AACvB,cAAMC,eAAe,GAAGR,MAAM,CAACE,QAAP,GAAkB,iBAAlB,GAAsC,iBAA9D,CADuB,CAEvB;AACA;;AACA,YAAIhB,IAAI,CAACa,WAAL,CAAiBS,eAAjB,KACF,OAAOtB,IAAI,CAACa,WAAL,CAAiBS,eAAjB,EAAkCF,UAAlC,CAAP,KAAyD,UAD3D,EACuE;AACxE;;AAEDH,OAAC,CAACG,UAAD,CAAD,GAAgB;AAAU;AAAV,SAAqB;AACnC;AACAG,aAAK,CAACC,SAAD,EAAY,CAACC,KAAK,CAACC,GAAP,CAAZ,CAAL;AACA,cAAMC,IAAI,GAAGC,KAAK,CAACC,IAAN,CAAWL,SAAX,CAAb;;AACA,YAAI;AACF;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,cAAIM,WAAW,GAAG,IAAlB;;AACA,cAAIX,MAAM,KAAK,QAAX,IAAuB,CAAC9B,MAAM,CAAC0C,IAAP,CAAYJ,IAAI,CAAC,CAAD,CAAhB,EAAqB,KAArB,CAA5B,EAAyD;AACvDG,uBAAW,GAAG9B,IAAI,CAACgC,UAAL,EAAd;AACD;;AAED,cAAI,KAAKC,YAAT,EAAuB;AACrB;AACA;AACA,gBAAIH,WAAW,KAAK,IAApB,EACEH,IAAI,CAAC,CAAD,CAAJ,CAAQO,GAAR,GAAcJ,WAAd;AACF,mBAAO9B,IAAI,CAACmC,WAAL,CAAiBhB,MAAjB,EAAyBiB,KAAzB,CACLpC,IAAI,CAACmC,WADA,EACaR,IADb,CAAP;AAED,WAxBC,CA0BF;AAEA;AACA;;;AACA,cAAIR,MAAM,KAAK,QAAf,EACEkB,sBAAsB,CAACV,IAAI,CAAC,CAAD,CAAL,EAAUR,MAAV,CAAtB;;AAEF,cAAInB,IAAI,CAACC,WAAT,EAAsB;AACpB;AACA,gBAAID,IAAI,CAACI,WAAL,CAAiBe,MAAjB,EAAyBxB,KAAzB,CAA+B2C,MAA/B,KAA0C,CAA9C,EAAiD;AAC/C,oBAAM,IAAIxB,MAAM,CAACyB,KAAX,CACJ,GADI,EACC,0DACH,yBADG,GACyBpB,MADzB,GACkC,IAFnC,CAAN;AAGD;;AAED,kBAAMqB,mBAAmB,GACnB,eAAerB,MAAM,CAACsB,MAAP,CAAc,CAAd,EAAiBC,WAAjB,EAAf,GAAgDvB,MAAM,CAACwB,KAAP,CAAa,CAAb,CADtD;AAEAhB,gBAAI,CAACiB,OAAL,CAAa,KAAKC,MAAlB;AACA1B,kBAAM,KAAK,QAAX,IAAuBQ,IAAI,CAACmB,IAAL,CAAUhB,WAAV,CAAvB;AACA,mBAAO9B,IAAI,CAACwC,mBAAD,CAAJ,CAA0BJ,KAA1B,CAAgCpC,IAAhC,EAAsC2B,IAAtC,CAAP;AACD,WAbD,MAaO,IAAI3B,IAAI,CAAC+C,WAAL,EAAJ,EAAwB;AAC7B,gBAAIjB,WAAW,KAAK,IAApB,EACEH,IAAI,CAAC,CAAD,CAAJ,CAAQO,GAAR,GAAcJ,WAAd,CAF2B,CAG7B;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;AACA,mBAAO9B,IAAI,CAACmC,WAAL,CAAiBhB,MAAjB,EAAyBiB,KAAzB,CAA+BpC,IAAI,CAACmC,WAApC,EAAiDR,IAAjD,CAAP;AACD,WAfM,MAeA;AACL;AACA;AACA,kBAAM,IAAIb,MAAM,CAACyB,KAAX,CAAiB,GAAjB,EAAsB,eAAtB,CAAN;AACD;AACF,SAlED,CAkEE,OAAOS,CAAP,EAAU;AACV,cACEA,CAAC,CAACC,IAAF,KAAW,YAAX,IACA;AACAD,WAAC,CAACC,IAAF,KAAW,gBAFX,IAGA;AACAD,WAAC,CAACC,IAAF,KAAW,qBAJX,IAKAD,CAAC,CAACC,IAAF,KAAW,gBANb,EAOE;AACA,kBAAM,IAAInC,MAAM,CAACyB,KAAX,CAAiB,GAAjB,EAAsBS,CAAC,CAACE,QAAF,EAAtB,CAAN;AACD,WATD,MASO;AACL,kBAAMF,CAAN;AACD;AACF;AACF,OApFD;AAqFD,KAhGD;;AAkGAhD,QAAI,CAACa,WAAL,CAAiBsC,OAAjB,CAAyBlC,CAAzB;AACD;AACF,CA1ID;;AA4IAvB,mBAAmB,CAAC0D,YAApB,GAAmC,UAAUC,MAAV,EAAkB;AACnD,QAAMrD,IAAI,GAAG,IAAb;;AAEA,MAAI,CAACA,IAAI,CAACI,WAAL,CAAiBM,cAAtB,EAAsC;AACpC,QAAI2C,MAAJ,EAAY;AACV,YAAMC,KAAK,GAAGhE,MAAM,CAACiE,MAAP,CAAc,IAAd,CAAd;;AACA,YAAMC,GAAG,GAAGC,KAAK,IAAIA,KAAK,IAAIA,KAAK,CAACvC,OAAN,CAAc+B,IAAI,IAAIK,KAAK,CAACL,IAAD,CAAL,GAAc,CAApC,CAA9B;;AACAO,SAAG,CAACxD,IAAI,CAACI,WAAL,CAAiBK,KAAlB,CAAH;AACA+C,SAAG,CAACH,MAAD,CAAH;AACArD,UAAI,CAACI,WAAL,CAAiBK,KAAjB,GAAyBnB,MAAM,CAACoE,IAAP,CAAYJ,KAAZ,CAAzB;AACD,KAND,MAMO;AACLtD,UAAI,CAACI,WAAL,CAAiBM,cAAjB,GAAkC,IAAlC,CADK,CAEL;;AACAV,UAAI,CAACI,WAAL,CAAiBK,KAAjB,GAAyB,IAAzB;AACD;AACF;AACF,CAhBD;;AAkBAf,mBAAmB,CAACqD,WAApB,GAAkC,YAAY;AAC5C,QAAM/C,IAAI,GAAG,IAAb;AACA,MAAIA,IAAI,CAACE,SAAL,KAAmBC,SAAvB,EACE,OAAO,CAAC,CAACwD,OAAO,CAACC,QAAjB;AACF,SAAO5D,IAAI,CAACE,SAAZ;AACD,CALD;;AAOAR,mBAAmB,CAACmE,gBAApB,GAAuC,UAAUhB,MAAV,EAAkBiB,GAAlB,EACkBhC,WADlB,EAC+B;AACpE,QAAM9B,IAAI,GAAG,IAAb,CADoE,CAGpE;AACA;;AACA,MAAIA,IAAI,CAACI,WAAL,CAAiBC,MAAjB,CAAwBP,IAAxB,CAA6BiE,IAA7B,CAAmCC,SAAD,IAAe;AACnD,WAAOA,SAAS,CAACnB,MAAD,EAASoB,aAAa,CAACD,SAAD,EAAYF,GAAZ,EAAiBhC,WAAjB,CAAtB,CAAhB;AACD,GAFG,CAAJ,EAEI;AACF,UAAM,IAAIhB,MAAM,CAACyB,KAAX,CAAiB,GAAjB,EAAsB,eAAtB,CAAN;AACD,GATmE,CAUpE;;;AACA,MAAIvC,IAAI,CAACI,WAAL,CAAiBC,MAAjB,CAAwBV,KAAxB,CAA8BuE,KAA9B,CAAqCF,SAAD,IAAe;AACrD,WAAO,CAACA,SAAS,CAACnB,MAAD,EAASoB,aAAa,CAACD,SAAD,EAAYF,GAAZ,EAAiBhC,WAAjB,CAAtB,CAAjB;AACD,GAFG,CAAJ,EAEI;AACF,UAAM,IAAIhB,MAAM,CAACyB,KAAX,CAAiB,GAAjB,EAAsB,eAAtB,CAAN;AACD,GAfmE,CAiBpE;AACA;;;AACA,MAAIT,WAAW,KAAK,IAApB,EACEgC,GAAG,CAAC5B,GAAJ,GAAUJ,WAAV;;AAEF9B,MAAI,CAACmC,WAAL,CAAiB9B,MAAjB,CAAwB0B,IAAxB,CAA6B/B,IAAI,CAACmC,WAAlC,EAA+C2B,GAA/C;AACD,CAxBD,C,CA0BA;AACA;AACA;AACA;;;AACApE,mBAAmB,CAACyE,gBAApB,GAAuC,UACnCtB,MADmC,EAC3BuB,QAD2B,EACjBC,OADiB,EACRzE,OADQ,EACC;AACtC,QAAMI,IAAI,GAAG,IAAb;AAEAuB,OAAK,CAAC8C,OAAD,EAAU/E,MAAV,CAAL;AAEAM,SAAO,GAAGN,MAAM,CAACgF,MAAP,CAAchF,MAAM,CAACiE,MAAP,CAAc,IAAd,CAAd,EAAmC3D,OAAnC,CAAV;AAEA,MAAI,CAAC2E,eAAe,CAACC,4BAAhB,CAA6CJ,QAA7C,CAAL,EACE,MAAM,IAAI7B,KAAJ,CAAU,2CAAV,CAAN,CARoC,CAUtC;AACA;;AACA,MAAI3C,OAAO,CAACY,MAAZ,EACE,MAAM,IAAIM,MAAM,CAACyB,KAAX,CAAiB,GAAjB,EAAsB,gCACL,qCADjB,CAAN;AAGF,QAAMkC,cAAc,GAAG,2DACjB,yEADiB,GAEjB,YAFN;AAIA,QAAMC,WAAW,GAAGpF,MAAM,CAACoE,IAAP,CAAYW,OAAZ,CAApB,CApBsC,CAsBtC;;AACA,QAAMM,cAAc,GAAG,EAAvB;;AAEA,MAAID,WAAW,CAACpC,MAAZ,KAAuB,CAA3B,EAA8B;AAC5B,UAAM,IAAIxB,MAAM,CAACyB,KAAX,CAAiB,GAAjB,EAAsBkC,cAAtB,CAAN;AACD;;AACDC,aAAW,CAACxD,OAAZ,CAAqB0D,EAAD,IAAQ;AAC1B,UAAMC,MAAM,GAAGR,OAAO,CAACO,EAAD,CAAtB;;AACA,QAAIA,EAAE,CAACnC,MAAH,CAAU,CAAV,MAAiB,GAArB,EAA0B;AACxB,YAAM,IAAI3B,MAAM,CAACyB,KAAX,CAAiB,GAAjB,EAAsBkC,cAAtB,CAAN;AACD,KAFD,MAEO,IAAI,CAACpF,MAAM,CAAC0C,IAAP,CAAY+C,yBAAZ,EAAuCF,EAAvC,CAAL,EAAiD;AACtD,YAAM,IAAI9D,MAAM,CAACyB,KAAX,CACJ,GADI,EACC,6BAA6BqC,EAA7B,GAAkC,0CADnC,CAAN;AAED,KAHM,MAGA;AACLtF,YAAM,CAACoE,IAAP,CAAYmB,MAAZ,EAAoB3D,OAApB,CAA6B6D,KAAD,IAAW;AACrC;AACA;AACA,YAAIA,KAAK,CAACC,OAAN,CAAc,GAAd,MAAuB,CAAC,CAA5B,EACED,KAAK,GAAGA,KAAK,CAACE,SAAN,CAAgB,CAAhB,EAAmBF,KAAK,CAACC,OAAN,CAAc,GAAd,CAAnB,CAAR,CAJmC,CAMrC;;AACAL,sBAAc,CAACI,KAAD,CAAd,GAAwB,IAAxB;AACD,OARD;AASD;AACF,GAlBD;AAoBA,QAAM1B,MAAM,GAAG/D,MAAM,CAACoE,IAAP,CAAYiB,cAAZ,CAAf;AAEA,QAAMO,WAAW,GAAG;AAACC,aAAS,EAAE;AAAZ,GAApB;;AACA,MAAI,CAACnF,IAAI,CAACI,WAAL,CAAiBM,cAAtB,EAAsC;AACpCwE,eAAW,CAAC7B,MAAZ,GAAqB,EAArB;;AACArD,QAAI,CAACI,WAAL,CAAiBK,KAAjB,CAAuBS,OAAvB,CAAgCkE,SAAD,IAAe;AAC5CF,iBAAW,CAAC7B,MAAZ,CAAmB+B,SAAnB,IAAgC,CAAhC;AACD,KAFD;AAGD;;AAED,QAAMtB,GAAG,GAAG9D,IAAI,CAACmC,WAAL,CAAiBkD,OAAjB,CAAyBjB,QAAzB,EAAmCc,WAAnC,CAAZ;;AACA,MAAI,CAACpB,GAAL,EAAW;AACT,WAAO,CAAP,CA5DoC,CA8DtC;AACA;;AACA,MAAI9D,IAAI,CAACI,WAAL,CAAiBE,MAAjB,CAAwBR,IAAxB,CAA6BiE,IAA7B,CAAmCC,SAAD,IAAe;AACnD,UAAMsB,YAAY,GAAGC,YAAY,CAACvB,SAAD,EAAYF,GAAZ,CAAjC;AACA,WAAOE,SAAS,CAACnB,MAAD,EACCyC,YADD,EAECjC,MAFD,EAGCgB,OAHD,CAAhB;AAID,GANG,CAAJ,EAMI;AACF,UAAM,IAAIvD,MAAM,CAACyB,KAAX,CAAiB,GAAjB,EAAsB,eAAtB,CAAN;AACD,GAxEqC,CAyEtC;;;AACA,MAAIvC,IAAI,CAACI,WAAL,CAAiBE,MAAjB,CAAwBX,KAAxB,CAA8BuE,KAA9B,CAAqCF,SAAD,IAAe;AACrD,UAAMsB,YAAY,GAAGC,YAAY,CAACvB,SAAD,EAAYF,GAAZ,CAAjC;AACA,WAAO,CAACE,SAAS,CAACnB,MAAD,EACCyC,YADD,EAECjC,MAFD,EAGCgB,OAHD,CAAjB;AAID,GANG,CAAJ,EAMI;AACF,UAAM,IAAIvD,MAAM,CAACyB,KAAX,CAAiB,GAAjB,EAAsB,eAAtB,CAAN;AACD;;AAED3C,SAAO,CAAC4F,cAAR,GAAyB,IAAzB,CApFsC,CAsFtC;AACA;AACA;AACA;;AAEA,SAAOxF,IAAI,CAACmC,WAAL,CAAiB7B,MAAjB,CAAwByB,IAAxB,CACL/B,IAAI,CAACmC,WADA,EACaiC,QADb,EACuBC,OADvB,EACgCzE,OADhC,CAAP;AAED,CA9FD,C,CAgGA;AACA;AACA;AACA;AACA;AACA;;;AACA,MAAMkF,yBAAyB,GAAG;AAChCW,MAAI,EAAC,CAD2B;AACxBC,MAAI,EAAC,CADmB;AAChBC,QAAM,EAAC,CADS;AACNC,WAAS,EAAC,CADJ;AACOC,MAAI,EAAC,CADZ;AACeC,UAAQ,EAAC,CADxB;AAC2BC,OAAK,EAAC,CADjC;AAEhCC,UAAQ,EAAC,CAFuB;AAEpBC,OAAK,EAAC,CAFc;AAEXC,MAAI,EAAC;AAFM,CAAlC,C,CAKA;AACA;;AACAxG,mBAAmB,CAACyG,gBAApB,GAAuC,UAAStD,MAAT,EAAiBuB,QAAjB,EAA2B;AAChE,QAAMpE,IAAI,GAAG,IAAb;AAEA,QAAMkF,WAAW,GAAG;AAACC,aAAS,EAAE;AAAZ,GAApB;;AACA,MAAI,CAACnF,IAAI,CAACI,WAAL,CAAiBM,cAAtB,EAAsC;AACpCwE,eAAW,CAAC7B,MAAZ,GAAqB,EAArB;;AACArD,QAAI,CAACI,WAAL,CAAiBK,KAAjB,CAAuBS,OAAvB,CAAgCkE,SAAD,IAAe;AAC5CF,iBAAW,CAAC7B,MAAZ,CAAmB+B,SAAnB,IAAgC,CAAhC;AACD,KAFD;AAGD;;AAED,QAAMtB,GAAG,GAAG9D,IAAI,CAACmC,WAAL,CAAiBkD,OAAjB,CAAyBjB,QAAzB,EAAmCc,WAAnC,CAAZ;;AACA,MAAI,CAACpB,GAAL,EACE,OAAO,CAAP,CAb8D,CAehE;AACA;;AACA,MAAI9D,IAAI,CAACI,WAAL,CAAiBG,MAAjB,CAAwBT,IAAxB,CAA6BiE,IAA7B,CAAmCC,SAAD,IAAe;AACnD,WAAOA,SAAS,CAACnB,MAAD,EAAS0C,YAAY,CAACvB,SAAD,EAAYF,GAAZ,CAArB,CAAhB;AACD,GAFG,CAAJ,EAEI;AACF,UAAM,IAAIhD,MAAM,CAACyB,KAAX,CAAiB,GAAjB,EAAsB,eAAtB,CAAN;AACD,GArB+D,CAsBhE;;;AACA,MAAIvC,IAAI,CAACI,WAAL,CAAiBG,MAAjB,CAAwBZ,KAAxB,CAA8BuE,KAA9B,CAAqCF,SAAD,IAAe;AACrD,WAAO,CAACA,SAAS,CAACnB,MAAD,EAAS0C,YAAY,CAACvB,SAAD,EAAYF,GAAZ,CAArB,CAAjB;AACD,GAFG,CAAJ,EAEI;AACF,UAAM,IAAIhD,MAAM,CAACyB,KAAX,CAAiB,GAAjB,EAAsB,eAAtB,CAAN;AACD,GA3B+D,CA6BhE;AACA;AACA;AACA;;;AAEA,SAAOvC,IAAI,CAACmC,WAAL,CAAiB5B,MAAjB,CAAwBwB,IAAxB,CAA6B/B,IAAI,CAACmC,WAAlC,EAA+CiC,QAA/C,CAAP;AACD,CAnCD;;AAqCA1E,mBAAmB,CAAC0G,kBAApB,GAAyC,SAASA,kBAAT,CAA4BnD,IAA5B,EAAkCtB,IAAlC,EAAwC0E,QAAxC,EAAkD;AACzF,MAAIvF,MAAM,CAACE,QAAP,IAAmB,CAACqF,QAApB,IAAgC,CAACC,mBAAmB,EAAxD,EAA4D;AAC1D;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACAD,YAAQ,GAAG,UAAUE,GAAV,EAAe;AACxB,UAAIA,GAAJ,EACEzF,MAAM,CAAC0F,MAAP,CAAcvD,IAAI,GAAG,SAArB,EAAgCsD,GAAhC;AACH,KAHD;AAID,GAdwF,CAgBzF;;;AACA,QAAME,kBAAkB,GAAGxD,IAAI,KAAK,QAAT,IAAqBA,IAAI,KAAK,QAAzD;;AACA,MAAIwD,kBAAkB,IAAI,CAACH,mBAAmB,EAA9C,EAAkD;AAChD;AACA;AACA;AACAjE,0BAAsB,CAACV,IAAI,CAAC,CAAD,CAAL,EAAUsB,IAAV,CAAtB;AACD;;AAED,QAAMyD,iBAAiB,GAAG,KAAK9F,OAAL,GAAeqC,IAAzC;AACA,SAAO,KAAKpC,WAAL,CAAiBuB,KAAjB,CACLsE,iBADK,EACc/E,IADd,EACoB;AAAEgF,mBAAe,EAAE;AAAnB,GADpB,EAC+CN,QAD/C,CAAP;AAED,CA5BD;;AA8BA,SAASd,YAAT,CAAsBvB,SAAtB,EAAiCF,GAAjC,EAAsC;AACpC,MAAIE,SAAS,CAACmB,SAAd,EACE,OAAOnB,SAAS,CAACmB,SAAV,CAAoBrB,GAApB,CAAP;AACF,SAAOA,GAAP;AACD;;AAED,SAASG,aAAT,CAAuBD,SAAvB,EAAkCF,GAAlC,EAAuChC,WAAvC,EAAoD;AAClD,MAAI8E,GAAG,GAAG9C,GAAV;;AACA,MAAIE,SAAS,CAACmB,SAAd,EAAyB;AACvByB,OAAG,GAAGC,KAAK,CAACC,KAAN,CAAYhD,GAAZ,CAAN,CADuB,CAEvB;AACA;AACA;AACA;AACA;;AACA,QAAIhC,WAAW,KAAK,IAApB,EAA0B;AACxB8E,SAAG,CAAC1E,GAAJ,GAAUJ,WAAV;AACD;;AACD8E,OAAG,GAAG5C,SAAS,CAACmB,SAAV,CAAoByB,GAApB,CAAN;AACD;;AACD,SAAOA,GAAP;AACD;;AAED,SAAS/G,YAAT,CAAsBkH,UAAtB,EAAkCC,WAAlC,EAA+CpH,OAA/C,EAAwD;AACtD;AACA,QAAMqH,cAAc,GAAG,4CAAvB;AACA3H,QAAM,CAACoE,IAAP,CAAY9D,OAAZ,EAAqBsB,OAArB,CAA8BgG,GAAD,IAAS;AACpC,QAAI,CAACD,cAAc,CAACE,IAAf,CAAoBD,GAApB,CAAL,EACE,MAAM,IAAI3E,KAAJ,CAAUyE,WAAW,GAAG,iBAAd,GAAkCE,GAA5C,CAAN;AACH,GAHD;AAKAH,YAAU,CAAC9G,WAAX,GAAyB,IAAzB;AAEA,GAAC,QAAD,EAAW,QAAX,EAAqB,QAArB,EAA+BiB,OAA/B,CAAwC+B,IAAD,IAAU;AAC/C,QAAI5D,MAAM,CAAC0C,IAAP,CAAYnC,OAAZ,EAAqBqD,IAArB,CAAJ,EAAgC;AAC9B,UAAI,EAAErD,OAAO,CAACqD,IAAD,CAAP,YAAyBmE,QAA3B,CAAJ,EAA0C;AACxC,cAAM,IAAI7E,KAAJ,CAAUyE,WAAW,GAAG,eAAd,GAAgC/D,IAAhC,GAAuC,sBAAjD,CAAN;AACD,OAH6B,CAK9B;AACA;AACA;;;AACA,UAAIrD,OAAO,CAACuF,SAAR,KAAsBhF,SAA1B,EAAqC;AACnCP,eAAO,CAACqD,IAAD,CAAP,CAAckC,SAAd,GAA0B4B,UAAU,CAACM,UAArC,CADmC,CACe;AACnD,OAFD,MAEO;AACLzH,eAAO,CAACqD,IAAD,CAAP,CAAckC,SAAd,GAA0BZ,eAAe,CAAC+C,aAAhB,CACxB1H,OAAO,CAACuF,SADgB,CAA1B;AAED;;AAED4B,gBAAU,CAAC3G,WAAX,CAAuB6C,IAAvB,EAA6B+D,WAA7B,EAA0ClE,IAA1C,CAA+ClD,OAAO,CAACqD,IAAD,CAAtD;AACD;AACF,GAlBD,EAVsD,CA8BtD;AACA;AACA;;AACA,MAAIrD,OAAO,CAACU,MAAR,IAAkBV,OAAO,CAACW,MAA1B,IAAoCX,OAAO,CAACa,KAAhD,EAAuD;AACrD,QAAIb,OAAO,CAACa,KAAR,IAAiB,EAAEb,OAAO,CAACa,KAAR,YAAyBmB,KAA3B,CAArB,EAAwD;AACtD,YAAM,IAAIW,KAAJ,CAAUyE,WAAW,GAAG,sCAAxB,CAAN;AACD;;AACDD,cAAU,CAAC3D,YAAX,CAAwBxD,OAAO,CAACa,KAAhC;AACD;AACF;;AAED,SAAS4B,sBAAT,CAAgC+B,QAAhC,EAA0ChD,UAA1C,EAAsD;AACpD,MAAI,CAACmD,eAAe,CAACC,4BAAhB,CAA6CJ,QAA7C,CAAL,EAA6D;AAC3D,UAAM,IAAItD,MAAM,CAACyB,KAAX,CACJ,GADI,EACC,4CAA4CnB,UAA5C,GACH,mBAFE,CAAN;AAGD;AACF;;AAAA,C,CAED;;AACA,SAASkF,mBAAT,GAA+B;AAC7B,MAAIiB,iBAAiB,GACnBC,GAAG,CAACC,wBAAJ,IACA;AACA;AACAD,KAAG,CAACE,kBAJN;AAMA,QAAMC,SAAS,GAAGJ,iBAAiB,CAACK,GAAlB,EAAlB;AACA,SAAOD,SAAS,IAAIA,SAAS,CAAC1F,YAA9B;AACD,C","file":"/packages/allow-deny.js","sourcesContent":["///\n/// Remote methods and access control.\n///\n\nconst hasOwn = Object.prototype.hasOwnProperty;\n\n// Restrict default mutators on collection. allow() and deny() take the\n// same options:\n//\n// options.insert {Function(userId, doc)}\n// return true to allow/deny adding this document\n//\n// options.update {Function(userId, docs, fields, modifier)}\n// return true to allow/deny updating these documents.\n// `fields` is passed as an array of fields that are to be modified\n//\n// options.remove {Function(userId, docs)}\n// return true to allow/deny removing these documents\n//\n// options.fetch {Array}\n// Fields to fetch for these validators. If any call to allow or deny\n// does not have this option then all fields are loaded.\n//\n// allow and deny can be called multiple times. The validators are\n// evaluated as follows:\n// - If neither deny() nor allow() has been called on the collection,\n// then the request is allowed if and only if the \"insecure\" smart\n// package is in use.\n// - Otherwise, if any deny() function returns true, the request is denied.\n// - Otherwise, if any allow() function returns true, the request is allowed.\n// - Otherwise, the request is denied.\n//\n// Meteor may call your deny() and allow() functions in any order, and may not\n// call all of them if it is able to make a decision without calling them all\n// (so don't include side effects).\n\nAllowDeny = {\n CollectionPrototype: {}\n};\n\n// In the `mongo` package, we will extend Mongo.Collection.prototype with these\n// methods\nconst CollectionPrototype = AllowDeny.CollectionPrototype;\n\n/**\n * @summary Allow users to write directly to this collection from client code, subject to limitations you define.\n * @locus Server\n * @method allow\n * @memberOf Mongo.Collection\n * @instance\n * @param {Object} options\n * @param {Function} options.insert,update,remove Functions that look at a proposed modification to the database and return true if it should be allowed.\n * @param {String[]} options.fetch Optional performance enhancement. Limits the fields that will be fetched from the database for inspection by your `update` and `remove` functions.\n * @param {Function} options.transform Overrides `transform` on the [`Collection`](#collections). Pass `null` to disable transformation.\n */\nCollectionPrototype.allow = function(options) {\n addValidator(this, 'allow', options);\n};\n\n/**\n * @summary Override `allow` rules.\n * @locus Server\n * @method deny\n * @memberOf Mongo.Collection\n * @instance\n * @param {Object} options\n * @param {Function} options.insert,update,remove Functions that look at a proposed modification to the database and return true if it should be denied, even if an [allow](#allow) rule says otherwise.\n * @param {String[]} options.fetch Optional performance enhancement. Limits the fields that will be fetched from the database for inspection by your `update` and `remove` functions.\n * @param {Function} options.transform Overrides `transform` on the [`Collection`](#collections). Pass `null` to disable transformation.\n */\nCollectionPrototype.deny = function(options) {\n addValidator(this, 'deny', options);\n};\n\nCollectionPrototype._defineMutationMethods = function(options) {\n const self = this;\n options = options || {};\n\n // set to true once we call any allow or deny methods. If true, use\n // allow/deny semantics. If false, use insecure mode semantics.\n self._restricted = false;\n\n // Insecure mode (default to allowing writes). Defaults to 'undefined' which\n // means insecure iff the insecure package is loaded. This property can be\n // overriden by tests or packages wishing to change insecure mode behavior of\n // their collections.\n self._insecure = undefined;\n\n self._validators = {\n insert: {allow: [], deny: []},\n update: {allow: [], deny: []},\n remove: {allow: [], deny: []},\n upsert: {allow: [], deny: []}, // dummy arrays; can't set these!\n fetch: [],\n fetchAllFields: false\n };\n\n if (!self._name)\n return; // anonymous collection\n\n // XXX Think about method namespacing. Maybe methods should be\n // \"Meteor:Mongo:insert/NAME\"?\n self._prefix = '/' + self._name + '/';\n\n // Mutation Methods\n // Minimongo on the server gets no stubs; instead, by default\n // it wait()s until its result is ready, yielding.\n // This matches the behavior of macromongo on the server better.\n // XXX see #MeteorServerNull\n if (self._connection && (self._connection === Meteor.server || Meteor.isClient)) {\n const m = {};\n\n ['insert', 'update', 'remove'].forEach((method) => {\n const methodName = self._prefix + method;\n\n if (options.useExisting) {\n const handlerPropName = Meteor.isClient ? '_methodHandlers' : 'method_handlers';\n // Do not try to create additional methods if this has already been called.\n // (Otherwise the .methods() call below will throw an error.)\n if (self._connection[handlerPropName] &&\n typeof self._connection[handlerPropName][methodName] === 'function') return;\n }\n\n m[methodName] = function (/* ... */) {\n // All the methods do their own validation, instead of using check().\n check(arguments, [Match.Any]);\n const args = Array.from(arguments);\n try {\n // For an insert, if the client didn't specify an _id, generate one\n // now; because this uses DDP.randomStream, it will be consistent with\n // what the client generated. We generate it now rather than later so\n // that if (eg) an allow/deny rule does an insert to the same\n // collection (not that it really should), the generated _id will\n // still be the first use of the stream and will be consistent.\n //\n // However, we don't actually stick the _id onto the document yet,\n // because we want allow/deny rules to be able to differentiate\n // between arbitrary client-specified _id fields and merely\n // client-controlled-via-randomSeed fields.\n let generatedId = null;\n if (method === \"insert\" && !hasOwn.call(args[0], '_id')) {\n generatedId = self._makeNewID();\n }\n\n if (this.isSimulation) {\n // In a client simulation, you can do any mutation (even with a\n // complex selector).\n if (generatedId !== null)\n args[0]._id = generatedId;\n return self._collection[method].apply(\n self._collection, args);\n }\n\n // This is the server receiving a method call from the client.\n\n // We don't allow arbitrary selectors in mutations from the client: only\n // single-ID selectors.\n if (method !== 'insert')\n throwIfSelectorIsNotId(args[0], method);\n\n if (self._restricted) {\n // short circuit if there is no way it will pass.\n if (self._validators[method].allow.length === 0) {\n throw new Meteor.Error(\n 403, \"Access denied. No allow validators set on restricted \" +\n \"collection for method '\" + method + \"'.\");\n }\n\n const validatedMethodName =\n '_validated' + method.charAt(0).toUpperCase() + method.slice(1);\n args.unshift(this.userId);\n method === 'insert' && args.push(generatedId);\n return self[validatedMethodName].apply(self, args);\n } else if (self._isInsecure()) {\n if (generatedId !== null)\n args[0]._id = generatedId;\n // In insecure mode, allow any mutation (with a simple selector).\n // XXX This is kind of bogus. Instead of blindly passing whatever\n // we get from the network to this function, we should actually\n // know the correct arguments for the function and pass just\n // them. For example, if you have an extraneous extra null\n // argument and this is Mongo on the server, the .wrapAsync'd\n // functions like update will get confused and pass the\n // \"fut.resolver()\" in the wrong slot, where _update will never\n // invoke it. Bam, broken DDP connection. Probably should just\n // take this whole method and write it three times, invoking\n // helpers for the common code.\n return self._collection[method].apply(self._collection, args);\n } else {\n // In secure mode, if we haven't called allow or deny, then nothing\n // is permitted.\n throw new Meteor.Error(403, \"Access denied\");\n }\n } catch (e) {\n if (\n e.name === 'MongoError' ||\n // for old versions of MongoDB (probably not necessary but it's here just in case)\n e.name === 'BulkWriteError' ||\n // for newer versions of MongoDB (https://docs.mongodb.com/drivers/node/current/whats-new/#bulkwriteerror---mongobulkwriteerror)\n e.name === 'MongoBulkWriteError' ||\n e.name === 'MinimongoError'\n ) {\n throw new Meteor.Error(409, e.toString());\n } else {\n throw e;\n }\n }\n };\n });\n\n self._connection.methods(m);\n }\n};\n\nCollectionPrototype._updateFetch = function (fields) {\n const self = this;\n\n if (!self._validators.fetchAllFields) {\n if (fields) {\n const union = Object.create(null);\n const add = names => names && names.forEach(name => union[name] = 1);\n add(self._validators.fetch);\n add(fields);\n self._validators.fetch = Object.keys(union);\n } else {\n self._validators.fetchAllFields = true;\n // clear fetch just to make sure we don't accidentally read it\n self._validators.fetch = null;\n }\n }\n};\n\nCollectionPrototype._isInsecure = function () {\n const self = this;\n if (self._insecure === undefined)\n return !!Package.insecure;\n return self._insecure;\n};\n\nCollectionPrototype._validatedInsert = function (userId, doc,\n generatedId) {\n const self = this;\n\n // call user validators.\n // Any deny returns true means denied.\n if (self._validators.insert.deny.some((validator) => {\n return validator(userId, docToValidate(validator, doc, generatedId));\n })) {\n throw new Meteor.Error(403, \"Access denied\");\n }\n // Any allow returns true means proceed. Throw error if they all fail.\n if (self._validators.insert.allow.every((validator) => {\n return !validator(userId, docToValidate(validator, doc, generatedId));\n })) {\n throw new Meteor.Error(403, \"Access denied\");\n }\n\n // If we generated an ID above, insert it now: after the validation, but\n // before actually inserting.\n if (generatedId !== null)\n doc._id = generatedId;\n\n self._collection.insert.call(self._collection, doc);\n};\n\n// Simulate a mongo `update` operation while validating that the access\n// control rules set by calls to `allow/deny` are satisfied. If all\n// pass, rewrite the mongo operation to use $in to set the list of\n// document ids to change ##ValidatedChange\nCollectionPrototype._validatedUpdate = function(\n userId, selector, mutator, options) {\n const self = this;\n\n check(mutator, Object);\n\n options = Object.assign(Object.create(null), options);\n\n if (!LocalCollection._selectorIsIdPerhapsAsObject(selector))\n throw new Error(\"validated update should be of a single ID\");\n\n // We don't support upserts because they don't fit nicely into allow/deny\n // rules.\n if (options.upsert)\n throw new Meteor.Error(403, \"Access denied. Upserts not \" +\n \"allowed in a restricted collection.\");\n\n const noReplaceError = \"Access denied. In a restricted collection you can only\" +\n \" update documents, not replace them. Use a Mongo update operator, such \" +\n \"as '$set'.\";\n\n const mutatorKeys = Object.keys(mutator);\n\n // compute modified fields\n const modifiedFields = {};\n\n if (mutatorKeys.length === 0) {\n throw new Meteor.Error(403, noReplaceError);\n }\n mutatorKeys.forEach((op) => {\n const params = mutator[op];\n if (op.charAt(0) !== '$') {\n throw new Meteor.Error(403, noReplaceError);\n } else if (!hasOwn.call(ALLOWED_UPDATE_OPERATIONS, op)) {\n throw new Meteor.Error(\n 403, \"Access denied. Operator \" + op + \" not allowed in a restricted collection.\");\n } else {\n Object.keys(params).forEach((field) => {\n // treat dotted fields as if they are replacing their\n // top-level part\n if (field.indexOf('.') !== -1)\n field = field.substring(0, field.indexOf('.'));\n\n // record the field we are trying to change\n modifiedFields[field] = true;\n });\n }\n });\n\n const fields = Object.keys(modifiedFields);\n\n const findOptions = {transform: null};\n if (!self._validators.fetchAllFields) {\n findOptions.fields = {};\n self._validators.fetch.forEach((fieldName) => {\n findOptions.fields[fieldName] = 1;\n });\n }\n\n const doc = self._collection.findOne(selector, findOptions);\n if (!doc) // none satisfied!\n return 0;\n\n // call user validators.\n // Any deny returns true means denied.\n if (self._validators.update.deny.some((validator) => {\n const factoriedDoc = transformDoc(validator, doc);\n return validator(userId,\n factoriedDoc,\n fields,\n mutator);\n })) {\n throw new Meteor.Error(403, \"Access denied\");\n }\n // Any allow returns true means proceed. Throw error if they all fail.\n if (self._validators.update.allow.every((validator) => {\n const factoriedDoc = transformDoc(validator, doc);\n return !validator(userId,\n factoriedDoc,\n fields,\n mutator);\n })) {\n throw new Meteor.Error(403, \"Access denied\");\n }\n\n options._forbidReplace = true;\n\n // Back when we supported arbitrary client-provided selectors, we actually\n // rewrote the selector to include an _id clause before passing to Mongo to\n // avoid races, but since selector is guaranteed to already just be an ID, we\n // don't have to any more.\n\n return self._collection.update.call(\n self._collection, selector, mutator, options);\n};\n\n// Only allow these operations in validated updates. Specifically\n// whitelist operations, rather than blacklist, so new complex\n// operations that are added aren't automatically allowed. A complex\n// operation is one that does more than just modify its target\n// field. For now this contains all update operations except '$rename'.\n// http://docs.mongodb.org/manual/reference/operators/#update\nconst ALLOWED_UPDATE_OPERATIONS = {\n $inc:1, $set:1, $unset:1, $addToSet:1, $pop:1, $pullAll:1, $pull:1,\n $pushAll:1, $push:1, $bit:1\n};\n\n// Simulate a mongo `remove` operation while validating access control\n// rules. See #ValidatedChange\nCollectionPrototype._validatedRemove = function(userId, selector) {\n const self = this;\n\n const findOptions = {transform: null};\n if (!self._validators.fetchAllFields) {\n findOptions.fields = {};\n self._validators.fetch.forEach((fieldName) => {\n findOptions.fields[fieldName] = 1;\n });\n }\n\n const doc = self._collection.findOne(selector, findOptions);\n if (!doc)\n return 0;\n\n // call user validators.\n // Any deny returns true means denied.\n if (self._validators.remove.deny.some((validator) => {\n return validator(userId, transformDoc(validator, doc));\n })) {\n throw new Meteor.Error(403, \"Access denied\");\n }\n // Any allow returns true means proceed. Throw error if they all fail.\n if (self._validators.remove.allow.every((validator) => {\n return !validator(userId, transformDoc(validator, doc));\n })) {\n throw new Meteor.Error(403, \"Access denied\");\n }\n\n // Back when we supported arbitrary client-provided selectors, we actually\n // rewrote the selector to {_id: {$in: [ids that we found]}} before passing to\n // Mongo to avoid races, but since selector is guaranteed to already just be\n // an ID, we don't have to any more.\n\n return self._collection.remove.call(self._collection, selector);\n};\n\nCollectionPrototype._callMutatorMethod = function _callMutatorMethod(name, args, callback) {\n if (Meteor.isClient && !callback && !alreadyInSimulation()) {\n // Client can't block, so it can't report errors by exception,\n // only by callback. If they forget the callback, give them a\n // default one that logs the error, so they aren't totally\n // baffled if their writes don't work because their database is\n // down.\n // Don't give a default callback in simulation, because inside stubs we\n // want to return the results from the local collection immediately and\n // not force a callback.\n callback = function (err) {\n if (err)\n Meteor._debug(name + \" failed\", err);\n };\n }\n\n // For two out of three mutator methods, the first argument is a selector\n const firstArgIsSelector = name === \"update\" || name === \"remove\";\n if (firstArgIsSelector && !alreadyInSimulation()) {\n // If we're about to actually send an RPC, we should throw an error if\n // this is a non-ID selector, because the mutation methods only allow\n // single-ID selectors. (If we don't throw here, we'll see flicker.)\n throwIfSelectorIsNotId(args[0], name);\n }\n\n const mutatorMethodName = this._prefix + name;\n return this._connection.apply(\n mutatorMethodName, args, { returnStubValue: true }, callback);\n}\n\nfunction transformDoc(validator, doc) {\n if (validator.transform)\n return validator.transform(doc);\n return doc;\n}\n\nfunction docToValidate(validator, doc, generatedId) {\n let ret = doc;\n if (validator.transform) {\n ret = EJSON.clone(doc);\n // If you set a server-side transform on your collection, then you don't get\n // to tell the difference between \"client specified the ID\" and \"server\n // generated the ID\", because transforms expect to get _id. If you want to\n // do that check, you can do it with a specific\n // `C.allow({insert: f, transform: null})` validator.\n if (generatedId !== null) {\n ret._id = generatedId;\n }\n ret = validator.transform(ret);\n }\n return ret;\n}\n\nfunction addValidator(collection, allowOrDeny, options) {\n // validate keys\n const validKeysRegEx = /^(?:insert|update|remove|fetch|transform)$/;\n Object.keys(options).forEach((key) => {\n if (!validKeysRegEx.test(key))\n throw new Error(allowOrDeny + \": Invalid key: \" + key);\n });\n\n collection._restricted = true;\n\n ['insert', 'update', 'remove'].forEach((name) => {\n if (hasOwn.call(options, name)) {\n if (!(options[name] instanceof Function)) {\n throw new Error(allowOrDeny + \": Value for `\" + name + \"` must be a function\");\n }\n\n // If the transform is specified at all (including as 'null') in this\n // call, then take that; otherwise, take the transform from the\n // collection.\n if (options.transform === undefined) {\n options[name].transform = collection._transform; // already wrapped\n } else {\n options[name].transform = LocalCollection.wrapTransform(\n options.transform);\n }\n\n collection._validators[name][allowOrDeny].push(options[name]);\n }\n });\n\n // Only update the fetch fields if we're passed things that affect\n // fetching. This way allow({}) and allow({insert: f}) don't result in\n // setting fetchAllFields\n if (options.update || options.remove || options.fetch) {\n if (options.fetch && !(options.fetch instanceof Array)) {\n throw new Error(allowOrDeny + \": Value for `fetch` must be an array\");\n }\n collection._updateFetch(options.fetch);\n }\n}\n\nfunction throwIfSelectorIsNotId(selector, methodName) {\n if (!LocalCollection._selectorIsIdPerhapsAsObject(selector)) {\n throw new Meteor.Error(\n 403, \"Not permitted. Untrusted code may only \" + methodName +\n \" documents by ID.\");\n }\n};\n\n// Determine if we are in a DDP method simulation\nfunction alreadyInSimulation() {\n var CurrentInvocation =\n DDP._CurrentMethodInvocation ||\n // For backwards compatibility, as explained in this issue:\n // https://github.com/meteor/meteor/issues/8947\n DDP._CurrentInvocation;\n\n const enclosing = CurrentInvocation.get();\n return enclosing && enclosing.isSimulation;\n}\n"]}