5 files changed, 87 insertions, 20 deletions

diff --git a/src/hooks/index.js b/src/hooks/index.js
index 2b122bb..4c535c4 100644
--- a/src/hooks/index.js
+++ b/src/hooks/index.js
@@ -8,12 +8,3 @@
 
 const hooks = require('feathers-hooks');
 const auth = require('feathers-authentication').hooks;
-const or = require('promise-or');
-
-exports.restrictToOwnersOrAdmins = function() {
-  var ownerHook = auth.restrictToOwner()
-  var adminHook = auth.restrictToRoles({ roles: ["admin"] })
-  return function(hook) {
-    return or(ownerHook(hook), adminHook(hook))
-  };
-};
diff --git a/src/services/meal/hooks/index.js b/src/services/meal/hooks/index.js
index 2e2795a..dd0d7ca 100644
--- a/src/services/meal/hooks/index.js
+++ b/src/services/meal/hooks/index.js
@@ -9,7 +9,6 @@ exports.before = {
     auth.verifyToken(),
     auth.populateUser(),
     auth.restrictToAuthenticated(),
-    globalHooks.restrictToOwnersOrAdmins(),
   ],
   find: [],
   get: [],
@@ -26,6 +25,6 @@ exports.after = {
   create: [],
   update: [],
   patch: [],
-  remove: []
+  remove: [],
 };
 
diff --git a/src/services/meal/meal-model.js b/src/services/meal/meal-model.js
index d15b244..90f35ca 100644
--- a/src/services/meal/meal-model.js
+++ b/src/services/meal/meal-model.js
@@ -21,7 +21,7 @@ module.exports = function(sequelize) {
       type: Sequelize.INTEGER,
       allowNull: false
     },
-    user_id: {
+    userid: {
       type: Sequelize.INTEGER,
       references: {
         model: sequelize.model('users'),
diff --git a/src/services/user/hooks/index.js b/src/services/user/hooks/index.js
index 9dfe425..85f8e04 100644
--- a/src/services/user/hooks/index.js
+++ b/src/services/user/hooks/index.js
@@ -4,39 +4,114 @@ const globalHooks = require('../../../hooks');
 const hooks = require('feathers-hooks');
 const auth = require('feathers-authentication').hooks;
 
+var _feathersErrors = require('feathers-errors');
+var _feathersErrors2 = _interopRequireDefault(_feathersErrors);
+function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { default: obj }; }
+
+function validateRoleOnCreate () {
+  return function(hook) {
+    var _this = this;
+
+    var userRole = hook.params.user && hook.params.user.role;
+
+    return new Promise(function (resolve, reject) {
+      // Set provider as undefined so we avoid an infinite loop if this hook is
+      // set on the resource we are requesting.
+      var params = Object.assign({}, hook.params, { provider: undefined });
+
+      if (! hook.data.role) {
+        hook.data.role = 'user'
+        resolve(hook);
+      }
+      if (userRole && userRole.toString() === 'user') {
+        reject(new _feathersErrors2.default.Forbidden('You do not have permission to create new users.'));
+      }
+      else if (userRole && userRole.toString() === 'manager' && hook.data.role.toString() !== 'user') {
+        reject(new _feathersErrors2.default.Forbidden('You do not have permission to change this user\'s role.'));
+      }
+      else {
+        resolve(hook);
+      }
+    });
+  }
+}
+
+function validateRoleOnUpdate () {
+  return function(hook) {
+    var _this = this;
+
+    var userRole = hook.params.user.role;
+
+    return new Promise(function (resolve, reject) {
+      // Set provider as undefined so we avoid an infinite loop if this hook is
+      // set on the resource we are requesting.
+      var params = Object.assign({}, hook.params, { provider: undefined });
+
+      return _this.get(hook.id, params).then(function (data) {
+        if (data.toJSON) {
+          data = data.toJSON();
+        } else if (data.toObject) {
+          data = data.toObject();
+        }
+
+        var dataRole = data.role;
+        if (userRole.toString() === 'user' && dataRole.toString() !== 'user') {
+          reject(new _feathersErrors2.default.Forbidden('You do not have permission to change your role.'));
+        }
+        else if (userRole.toString() === 'manager' && dataRole.toString() !== 'user') {
+          reject(new _feathersErrors2.default.Forbidden('You do not have permission to change this user\'s role.'));
+        }
+        else {
+          resolve(hook);
+        }
+      }).catch(reject);
+    });
+  }
+}
+
+const roleConfig = {
+  fieldName: 'role',
+  roles: ['manager','admin'],
+  owner: true,
+  ownerField: 'id'
+}
+
 exports.before = {
   all: [],
   find: [
     auth.verifyToken(),
     auth.populateUser(),
-    auth.restrictToAuthenticated()
+    auth.restrictToAuthenticated(),
   ],
   get: [
     auth.verifyToken(),
     auth.populateUser(),
     auth.restrictToAuthenticated(),
-    auth.restrictToOwner({ ownerField: 'id' })
+    auth.restrictToRoles(roleConfig),
   ],
   create: [
-    auth.hashPassword()
+    auth.hashPassword(),
+    validateRoleOnCreate(),
   ],
   update: [
     auth.verifyToken(),
     auth.populateUser(),
     auth.restrictToAuthenticated(),
-    auth.restrictToOwner({ ownerField: 'id' })
+    auth.restrictToRoles(roleConfig),
+    validateRoleOnUpdate(),
   ],
   patch: [
     auth.verifyToken(),
     auth.populateUser(),
     auth.restrictToAuthenticated(),
-    auth.restrictToOwner({ ownerField: 'id' })
+    validateRoleOnUpdate(),
+    validateRoleOnUpdate(),
   ],
   remove: [
     auth.verifyToken(),
     auth.populateUser(),
     auth.restrictToAuthenticated(),
-    auth.restrictToOwner({ ownerField: 'id' })
+    validateRoleOnUpdate(),
   ]
 };
 
@@ -47,5 +122,7 @@ exports.after = {
   create: [],
   update: [],
   patch: [],
-  remove: []
+  remove: [
+    // remove user's meals
+  ],
 };
diff --git a/src/services/user/user-model.js b/src/services/user/user-model.js
index 03db95b..d7c00ee 100644
--- a/src/services/user/user-model.js
+++ b/src/services/user/user-model.js
@@ -19,7 +19,7 @@ module.exports = function(sequelize) {
       allowNull: false
     },
     role: {
-      type: Sequelize.ENUM('user', 'manager', 'admin'),
+      type: Sequelize.STRING,
       allowNull: false
     },
     goal: {