3 files changed, 55 insertions, 3 deletions

diff --git a/src/services/user/hooks/index.js b/src/services/user/hooks/index.js
index 8210e81..22493c6 100644
--- a/src/services/user/hooks/index.js
+++ b/src/services/user/hooks/index.js
@@ -77,9 +77,17 @@ function removeUserMeals () {
       // Set provider as undefined so we avoid an infinite loop if this hook is
       // set on the resource we are requesting.
       var params = Object.assign({}, hook.params, { provider: undefined });
-      return hook.app.service('meals').remove(null, { userid: hook.params.user.id }).then(function (data) {
-        resolve(hook);
-      }).catch(reject);
+
+      return _this.get(hook.id, params).then(function (data) {
+        if (data.toJSON) {
+          data = data.toJSON();
+        } else if (data.toObject) {
+          data = data.toObject();
+        }
+        return hook.app.service('meals').remove(null, { query: { userid: hook.id }}).then(function (data) {
+          resolve(hook);
+        }).catch(reject);
+      })
     });
   }
 }
@@ -97,6 +105,10 @@ exports.before = {
     auth.verifyToken(),
     auth.populateUser(),
     auth.restrictToAuthenticated(),
+    auth.restrictToRoles({
+      fieldName: 'role',
+      roles: ['manager','admin'],
+    }),
   ],
   get: [
     auth.verifyToken(),
diff --git a/test/services/meal/index.test.js b/test/services/meal/index.test.js
index 8fdbc36..e1b36f2 100644
--- a/test/services/meal/index.test.js
+++ b/test/services/meal/index.test.js
@@ -81,6 +81,20 @@ describe('meal service', () => {
       })
   })
 
+  it('should create some new meals', (done) => {
+    chai.request(app)
+      .post('/meals')
+      .set('Accept', 'application/json')
+      .set('Authorization', 'Bearer '.concat(token))
+      .send({
+        userid: userid,
+      })
+      .end((err, res) => {
+        assert.notEqual(res.statusCode, 200)
+        done()
+      })
+  })
+
   it('should list its meals', (done) => {
     chai.request(app)
       .patch('/meals/'.concat(mealid))
@@ -121,4 +135,16 @@ describe('meal service', () => {
       })
   })
 
+  it('should list its meals', (done) => {
+    chai.request(app)
+      .get('/meals/'.concat(mealid))
+      .set('Accept', 'application/json')
+      .set('Authorization', 'Bearer '.concat(token))
+      .end((err, res) => {
+        assert.notEqual(res.statusCode, 200)
+        done()
+      })
+  })
+
+
 })
diff --git a/test/services/user/roles.test.js b/test/services/user/roles.test.js
index 660df9d..11fd2a4 100644
--- a/test/services/user/roles.test.js
+++ b/test/services/user/roles.test.js
@@ -92,6 +92,20 @@ describe('user roles', () => {
     })
   })
 
+  it('doesnt let users fetch other users', (done) => {
+    chai.request(app)
+      .get('/users/')
+      .set('Accept', 'application/json')
+      .set('Authorization', 'Bearer '.concat(userRole.token))
+      .send({
+      })
+      .end((err, res) => {
+        console.log(res.body)
+        done()
+      })
+  })
+
+
   it('doesnt let users CRUD other users', (done) => {
     chai.request(app)
       .patch('/users/'.concat(managerRole.id))