document existence checking was performed two times in the update and delete mutators
the update mutator never detected "owners" group because the original document wasn't transmitted, so the authorization didn't access to the document's userId prop
there was a bug comparing ids by server side because of MongoDB ids types, see #63
small improvements here: