From 1713b52cb0b17bba9e161a717014b091a0239e88 Mon Sep 17 00:00:00 2001
From: Wyatt Johnson <wyattjoh@gmail.com>
Date: Thu, 15 Dec 2016 12:14:58 -0700
Subject: [PATCH] The current user can see their own roles.

---
 models/user.js | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/models/user.js b/models/user.js
index 216345cbd..287f57df2 100644
--- a/models/user.js
+++ b/models/user.js
@@ -136,7 +136,13 @@ UserSchema.options.toJSON.transform = (doc, ret, options) => {
  */
 UserSchema.method('filterForUser', function(user = false) {
   if (!user || !user.roles.includes('admin')) {
-    return _.pick(this.toJSON(), ['id', 'displayName', 'settings', 'created_at', 'updated_at']);
+    let allowed = ['id', 'displayName', 'settings', 'created_at', 'updated_at'];
+
+    if (user && user.id === this.id) {
+      allowed.push('roles');
+    }
+
+    return _.pick(this.toJSON(), allowed);
   }
 
   return this.toJSON();