Websites.allow({
  insert: function (userId, doc) {
    // Ensure sane arguments.
    check(doc, {
      url: String,
      title: String,
      description: String,
      poster: Object,
      postDate: Date,
      words: String
    });

    // Reject anonymous inserts.
    if (!userId) {
      throw new Meteor.Error("logged-out", "User must be logged in to post a site.");
      // return false;
    }

    // Reject non-new inserts.
    const url = doc.url;

    if (Websites.findOne({ url })) {
      throw new Meteor.Error("duplicate", "User may only post new sites.");
      // return false;
    }

    // Reject wrong-looking URLs
    // TODO: find a validation package usable server-side.
    // The popular themeteorchef:jquery-validation appears to be client-only.
    // For now using a very limited check.
    const URL_BOGO_REGEX = /^https?:\/\/.+$/;
    if (!URL_BOGO_REGEX.test(doc.url)) {
      throw new Meteor.Error("bad-url", "Users may only post http(s) URLs.");
      // return false;
    }

    // Reject empty titles and descriptions.
    if (doc.title === "") {
      throw new Meteor.Error("empty-title", "Title may not be empty");
      // return false;
    }

    if (doc.description === "") {
      throw new Meteor.Error("empty-description", "Description may not be empty");
      // return false;
    }

    return true;
  },

  /**
   * Access check for update operations. NOT SAFE: needs deeper modifier checks.
   *
   * @param {String} userId
   *   The user attempting the modification.
   * @param {Object} doc
   *   The original document to modify.
   * @param {Array} fields
   *   The list of affected fields.
   * @param {Object} modifier
   *   The MongoDB update modifier.
   * @returns {boolean}
   *   True to allow update.
   */
  update: function (userId, doc, fields, modifier) {
    if (!userId) {
      throw new Meteor.Error("logged-out", "User must be logged to vote on a site.");
    }
    const orderedFields = fields.sort();
    if (!_.isEqual(orderedFields, ["minus", "minusScore"]) &&
      !_.isEqual(orderedFields, ["plus", "plusScore"]) &&
      !_.isEqual(orderedFields, ["minus", "minusScore", "plus", "plusScore"]) &&
      !_.isEqual(orderedFields, ["comments"])) {
      throw new Meteor.Error("invalid-field", "May only update minus[Score] and plus[Score] or comments.");
    }

    // FIXME : check modifier.
    return true;
  }
});