server/api/users/users.policy.js

const _ = require('lodash');

const User = require('../../models/user');
const { ensureRequest } = require('../../utils/express');
const { hasRole, sameRecord } = require('../utils/policy');

/**
 * An authenticated user can retrieve himself. Administrators can retrieve anyone.
 *
 * @function
 * @name canRetrieve
 * @memberof module:server/api/users
 */
exports.canRetrieve = function(req) {
  return hasRole(req, 'admin') || sameRecord(req.currentUser, req.user);
};

/**
 * Serializes a user for API responses.
 *
 * Detailed properties of a user can only be seen by the user itself or an administrator.
 *
 * @function
 * @name serialize
 * @memberof module:server/api/users
 *
 * @param {Request} req - The Express request object.
 * @param {User} user - A user record.
 * @returns {object} A serialized user.
 */
exports.serialize = function(req, user) {
  ensureRequest(req);

  const serialized = {
    email: user.get('email')
  };

  const admin = req.currentUser && req.currentUser.hasRole('admin');
  const sameUser = req.currentUser && req.currentUser.get('api_id') == user.get('api_id');

  if (admin || sameUser) {
    _.extend(serialized, {
      id: user.get('api_id'),
      href: user.get('href'),
      active: user.get('active'),
      roles: user.get('roles'),
      createdAt: user.get('created_at'),
      updatedAt: user.get('updated_at')
    });
  }

  return serialized;
};