forceUpdate-flag breaks authorization with insecure Classes.

[arggh]

When my class is not secured and I try to update a document from the client using { forceUpdate: true }, my Astronomy event-based authorization system fails (not allowing the operation when it actually should allow).

If I remove the forceUpdate-flag from the save-call, everything works as before.

Another way to "fix" it is to also apply simulation: false on the same save-operation.

Let me know if you need a repro and I'll try to come up with one.

[lukejagodzinski]

Yep reproduction would be handful :)

[arggh]

Actually, I think these two are linked: #649

In my case where forceUpdate: true was causing issues I was also fetching only some fields of the documents (on the client), and also specifying which fields to save, like so:

doc.save({ fields: ['order'], forceUpdate: true });

I could fix the issue in three ways:

1. Remove forceUpdate: true
2. Remove fields attribute from the find method call, thus fetching all fields
3. Add simulation: false to the save-call

[arggh]

Still working on the reproduction, but I'm missing something...

[arggh]

So, using forceUpdate just requires you to have all fields in the actual document object you are updating, it's not enough to have them on the client. If forceUpdate is omitted, then all you need is the field you are updating.

[lukejagodzinski]

Please provide reproduction so I can easily work on a fix

[arggh]

I will, sorry it's taking a while, I'm in a tight spot currently with work.