Commit 7-6: Use a method to submit the post.

.meteor/packages

@@ -11,3 +11,4 @@ underscore
 sacha:spin
 ian:accounts-ui-bootstrap-3
 accounts-password
+audit-argument-checks

.meteor/versions

@@ -1,6 +1,7 @@
 accounts-base@1.2.0
 accounts-password@1.1.1
 anti:i18n@0.4.3
+audit-argument-checks@1.0.3
 autoupdate@1.2.1
 base64@1.0.3
 binary-heap@1.0.3

client/templates/posts/post_submit.js

@@ -16,7 +16,13 @@ Template.postSubmit.events({
       title: $(e.target).find('[name=title]').val()
     };
 
-    post._id = Posts.insert(post);
-    Router.go('postPage', post);
+    Meteor.call('postInsert', post, function (error, result) {
+      // Display the error to the user and abort.
+      if (error) {
+        return alert(error);
+      }
+
+      Router.go('postPage', { _id: result._id });
+    });
   }
 });

lib/collections/posts.js

@@ -10,9 +10,25 @@
 // Not a "var", to make it global.
 Posts = new Mongo.Collection('posts');
 
-Posts.allow({
-  insert: function (userId, doc) {
-    // Only allow insert to logged-in users
-    return !!userId;
+// Removed Posts.allow : we no longer trigger inserts from client.
+
+// This is in lib/ instead of server/ for latency compensation (?).
+Meteor.methods({
+  postInsert: function(postAttributes) {
+    check(Meteor.userId(), String);
+    check(postAttributes, {
+      title: String,
+      url: String
+    });
+    var user = Meteor.user();
+    var post = _.extend(postAttributes, {
+      userId: user._id,
+      author: user.username,
+      submitted: new Date()
+    });
+    var postId =  Posts.insert(post);
+    return {
+      _id: postId
+    };
   }
 });