Meteor.userId from the client - changing shows user email, correct behavior?

Question

I was looking at another question's answer regarding changing the userId from the client side and following along but not getting expected results;

Meteor.userId is changeable

I followed steps 1 through 5 just fine with no issues but then set the userId() to the user I'd just logged out in a separate browser using Meteor.default_connection.setUserId('usersfjhjdskfh');

Rather than display a spinny in place of the email address since the server shouldn't be returning data, it displayed the actual user's email address I'd used there. (It did not however, bring back the party information and show it on the map).

Is this intended behavior and I missed the point of the last answer given back in December or has something changed? (I'm running Meteor 0.6.2 and both insecure and autopublish were removed from my example)

Answer 1

Im assuming you want to change the user's _id and not change the logged in user via an id. To change the user id you could probably do something like

Meteor.users.update(Meteor.userId(), {$set:{_id:<new Id>}});

Assuming you have the correct permissions in place with Meteor.users.allow. This should change the _id of the current logged in user.

The previous question demonstrated the security when changing local client side Meteor functions and how it would affect the server. The Meteor server doesn't trust anything from the client and double checks it with the allow/deny rules before changing it whatever the data may be for that current logged in user. So the user does need to be logged in to change any data about them on the mongodb database on the server for the allow/deny rules to comitted.