As we discovered in @ldworkin's project today. This is tricky, because we need to consider the use of Meteor.users.find() in all of the following cases:
Server-side code: should be unaffected, or else bugs will ensue.
Unauthenticated publish: should throw an error, but hard to detect; possibly requires modifications to collection-hooks. Also, might not be a big issue because users always authenticate (except in HIT preview?)
Authenticated publish: should throw an error if not in group, and not admin. Detect using CollectionHooks.isWithinPublish().
Method call: should throw an error if not in group and not admin. Detect using DDP._CurrentInvocation.get().
As we discovered in @ldworkin's project today. This is tricky, because we need to consider the use of
Meteor.users.find()in all of the following cases:CollectionHooks.isWithinPublish().DDP._CurrentInvocation.get().