Is the user signed in?

There is one final problem with our method: anyone can use it. We need to make sure there is a user signed in and the current user owns both the teams. Otherwise it's possible (though quite unlikely) for other users to insert games once they get hold of a team's _id.

Firstly we'll make sure the user is signed in:

both/collections/games.js

...
Meteor.methods({
  gamesInsert: function(teamOneId, teamTwoId){
    check(Meteor.userId(), String);
    check(teamOneId, String);
    check(teamTwoId, String);

    var teamOne = Teams.findOne({_id: teamOneId});
    var teamTwo = Teams.findOne({_id: teamTwoId});
...

While we could do something like if(Meteor.userId(){, this way is less code and has the benefit of providing an exception if something goes wrong.

Secondly let's make sure the user owns the teams:

both/collections/games.js

...
Meteor.methods({
  gamesInsert: function(teamOneId, teamTwoId){
    check(Meteor.userId(), String);
    check(teamOneId, String);
    check(teamTwoId, String);

    var teamOne = Teams.findOne({_id: teamOneId, ownerId: Meteor.userId()});
    var teamTwo = Teams.findOne({_id: teamTwoId, ownerId: Meteor.userId()});
...