Allow update on specific collection property

Question

I am trying to add a "ratings" property to a collection and want to enable ANY user (not just the owner) to be able to add a rating to the ratings set within a collection. My problem is that I have allow/deny rules set up so that only the owner can perform updates to collections that they own. Is there a way to allow any user to update a collection only if they are updating a specific property (the "ratings" set), and deny them update access if they are trying to update any other property.

My allow/deny rules on the server are as follows...

Playlists.allow({
  insert: function(userId, doc) {
    return (userId && doc.owner === userId);
  },
  update: function (userId, docs, fields, modifier) {
    return _.all(docs, function(doc) {
      return doc.owner === userId;
    });
  },
  remove: function (userId, docs) {
    return _.all(docs, function(doc) {
      return doc.owner === userId;
    });
  }
});

Playlists.deny({
  update: function (userId, docs, fields, modifier) {
    return _.contains(fields, 'owner');
  },
  remove: function (userId, docs) {
    return _.any(docs, function (doc) {
      return doc.locked;
    });
  },
  fetch: ['locked']
});

Answer 1

Create a Meteor.methods({updateRatePlaylist:myUpdateRatePlaylistFunction})

Answer 2

In Playlists.deny.update, you can change the logic so that it first checks whether anyone is trying to modify the ratings property (eg. with $addToSet) and return false if so. So you'd end up with code like this:

 Playlists.deny({
    update: function(userId, docs, fields, modifier) {
      if (fields.ratings && modifier["$addToSet"] && modifier["$addToSet"].ratings) {
        return false; // don't deny this
      }
      else {
        return _.contains(fields, 'owner');
      }
    }
  });