From 2715f2693f22c6912e403262a7404d3d7bf35c7b Mon Sep 17 00:00:00 2001
From: Jim Laurie <j.laurie6993@gmail.com>
Date: Thu, 14 Dec 2017 16:12:39 +0100
Subject: [PATCH] Check if token user still exist

---
 .../config/policies/permissions.js                       | 9 ++++++++-
 .../config/queries/mongoose.js                           | 2 ++
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/packages/strapi-plugin-users-permissions/config/policies/permissions.js b/packages/strapi-plugin-users-permissions/config/policies/permissions.js
index 5df755c21e..95461e10b7 100644
--- a/packages/strapi-plugin-users-permissions/config/policies/permissions.js
+++ b/packages/strapi-plugin-users-permissions/config/policies/permissions.js
@@ -6,7 +6,14 @@ module.exports = async (ctx, next) => {
 
   if (ctx.request && ctx.request.header && ctx.request.header.authorization) {
     try {
-      ctx.state.user = await strapi.plugins['users-permissions'].services.jwt.getToken(ctx);
+      const tokenUser = await strapi.plugins['users-permissions'].services.jwt.getToken(ctx);
+
+      ctx.state.user = await strapi.plugins['users-permissions'].services.user.fetch(_.pick(tokenUser, ['_id', 'id']));
+
+      if (!ctx.state.user) {
+        ctx.unauthorized('This user doesn\'t exit.');
+      }
+
       role = ctx.state.user.role;
 
       if (role.toString() === '0') {
diff --git a/packages/strapi-plugin-users-permissions/config/queries/mongoose.js b/packages/strapi-plugin-users-permissions/config/queries/mongoose.js
index 3f9eeb1047..994a4b7941 100644
--- a/packages/strapi-plugin-users-permissions/config/queries/mongoose.js
+++ b/packages/strapi-plugin-users-permissions/config/queries/mongoose.js
@@ -19,6 +19,8 @@ module.exports = {
     if (!params[this.primaryKey] && params.id) {
       params[this.primaryKey] = params.id;
       delete params.id;
+    } else if (params.id) {
+      delete params.id;
     }
 
     return this