Can not Set Edit Permissions Correctly in Meteor.methods

I'm trying to set permissions for add, edit and delete through my Meteor methods. I'm working on a calendar that users can add events to and there events are visible to all, but an event can only be updated or removed by the event owner.

So far I have it to where only the logged in users can insert items and when it's inserted a createdBy:currentUserId value is assigned, but after an item is inserted I want it to be setup to where only the user that created the event can update or remove it. This should come from the createdBy value that is stored when the item is created

I've read through the documentation but still can't get this to work. In my methods I have been setting a var with var currentUserId = Meteor.userId(); and I have been trying to restrict edits and deletes through the method with if({createdBy: currentUserId}) {allow edit and delete here}

Everything I have tried so far does not prevent other users from deleting or editing other users events.

I'm only posting the code that's relevant to edit as i'm assuming edit and delete will be almost identical. I am very new to Meteor, so any and all help is appreciated!

UPDATE! I'm trying to switch my createdBy into my method like @Yann recommended, but it will not allow the user ID to be placed and just returns an error of createdBy is required . The code I'm trying is

Meteor.methods({
  addEvent( event ) {
    var currentUserId = Meteor.userId();
    var createdBy = currentUserId;
    check( event, {

      title: String,
      start: String,
      end: String,
      type: String,
      guests: Number
    });

    try {
      return Events.insert( event, {
        $set: createdBy
      });
    } catch ( exception ) {
      throw new Meteor.Error( '500', `${ exception }` );
    }
  }
});

END OF UPDATE

The add edit modal code

Template.addEditEventModal.events({
  'submit form' ( event, template ) {
    event.preventDefault();
    var currentUserId = Meteor.userId();

    let eventModal = Session.get( 'eventModal' ),
        submitType = eventModal.type === 'edit' ? 'editEvent' : 'addEvent',
        eventItem  = {
           createdBy: currentUserId,
          title: template.find( '[name="title"]' ).value,
          start: template.find( '[name="start"]' ).value,
          end: template.find( '[name="end"]' ).value,
          type: template.find( '[name="type"] option:selected' ).value,
          guests: parseInt( template.find( '[name="guests"]' ).value, 10 )
        };

    if ( submitType === 'editEvent' ) {
      eventItem._id   = eventModal.event;
    }

    Meteor.call( submitType, eventItem, ( error ) => {
      if ( error ) {
        Bert.alert( error.reason, 'danger' );
      } else {
        Bert.alert( `Event ${ eventModal.type }ed!`, 'success' );
        closeModal();
      }
    });
  },
   'click .delete-event' ( event, template ) {
    let eventModal = Session.get( 'eventModal' );
    if ( confirm( 'Are you sure? This is permanent.' ) ) {
      Meteor.call( 'removeEvent', eventModal.event, ( error ) => {
        if ( error ) {
          Bert.alert( error.reason, 'danger' );
        } else {
          Bert.alert( 'Event deleted!', 'success' );
          closeModal();
        }
      });
    }
  }
});

The update method

Meteor.methods({

  editEvent( event ) {

    check( event, {
      _id: String,
      createdBy: String,
      title: Match.Optional( String ),
      start: String,
      end: String,
      type: Match.Optional( String ),
      guests: Match.Optional( Number )
    });
    var currentUserId = Meteor.userId();
  if({createdBy: currentUserId}){
    try {
      return Events.update( event._id, {
        $set: event
      });
    } catch ( exception ) {
      throw new Meteor.Error( '500', `${ exception }` );
    }
  }
}
});

There are several errors in your code:

Firstly, Events.insert( event, {$set: createdBy }) makes no sense. You're trying to do a $set at the same time as an insert and your createdBy is just a string.

Try:

Meteor.methods({
  addEvent( event ) {
    check( event, {
      title: String,
      start: String,
      end: String,
      type: String,
      guests: Number
    });

    try {
      event.createdBy = Meteor.userId();
      return Events.insert(event);
    } catch ( exception ) {
      throw new Meteor.Error( '500', `${ exception }` );
    }
  }
});

Later in your updated method you have if({createdBy: currentUserId}) which also makes no sense as it will always evaluate to true (you're basically writing if(object) . Use instead:

if( event.createdBy === Meteor.userId() )

Note that allow/deny rules do not apply to server methods.