var express = require('express'); var router = express.Router(); var User = require('../../models/User.js'); var requireScope = function (perm) { return function(req, res, next) { User.findOne({username: req.session.passport.user}, function(err, user) { if (err) throw err; if (user.scope.indexOf(perm) === -1) res.status(400).json({'message': 'No permission.'}); else next(); }); } }; router.get('/get', requireScope('users.view'), function (req, res, next) { var query = {}; if (req.body.username) query.username = req.body.username; User.find(query, function (err, users) { if (err) { next(err) } else { res.status(200).json(users); } }) }); module.exports = router;