@kalisio/kdk 2.5.3 → 2.6.1

package/coverage/lcov-report/core/api/hooks/hooks.authorisations.js.html

@@ -23,30 +23,30 @@
         <div class='clearfix'>
             
             <div class='fl pad1y space-right2'>
-                <span class="strong">85.51% </span>
+                <span class="strong">15.28% </span>
                 <span class="quiet">Statements</span>
-                <span class='fraction'>248/290</span>
+                <span class='fraction'>59/386</span>
             </div>
         
             
             <div class='fl pad1y space-right2'>
-                <span class="strong">70.73% </span>
+                <span class="strong">78.57% </span>
                 <span class="quiet">Branches</span>
-                <span class='fraction'>58/82</span>
+                <span class='fraction'>11/14</span>
             </div>
         
             
             <div class='fl pad1y space-right2'>
-                <span class="strong">75% </span>
+                <span class="strong">18.18% </span>
                 <span class="quiet">Functions</span>
-                <span class='fraction'>6/8</span>
+                <span class='fraction'>2/11</span>
             </div>
         
             
             <div class='fl pad1y space-right2'>
-                <span class="strong">85.51% </span>
+                <span class="strong">15.28% </span>
                 <span class="quiet">Lines</span>
-                <span class='fraction'>248/290</span>
+                <span class='fraction'>59/386</span>
             </div>
         
             
@@ -61,7 +61,7 @@
             </div>
         </template>
     </div>
-    <div class='status-line high'></div>
+    <div class='status-line low'></div>
     <pre><table class="coverage">
 <tr><td class="line-count quiet"><a name='L1'></a><a href='#L1'>1</a>
 <a name='L2'></a><a href='#L2'>2</a>
@@ -354,24 +354,118 @@
 <a name='L289'></a><a href='#L289'>289</a>
 <a name='L290'></a><a href='#L290'>290</a>
 <a name='L291'></a><a href='#L291'>291</a>
-<a name='L292'></a><a href='#L292'>292</a></td><td class="line-coverage quiet"><span class="cline-any cline-yes">2x</span>
-<span class="cline-any cline-yes">2x</span>
-<span class="cline-any cline-yes">2x</span>
-<span class="cline-any cline-yes">2x</span>
-<span class="cline-any cline-yes">2x</span>
-<span class="cline-any cline-yes">2x</span>
-<span class="cline-any cline-yes">2x</span>
-<span class="cline-any cline-yes">2x</span>
-<span class="cline-any cline-yes">2x</span>
-<span class="cline-any cline-yes">2x</span>
-<span class="cline-any cline-yes">2x</span>
-<span class="cline-any cline-yes">2x</span>
-<span class="cline-any cline-yes">2x</span>
-<span class="cline-any cline-yes">2x</span>
-<span class="cline-any cline-yes">2x</span>
-<span class="cline-any cline-yes">2x</span>
-<span class="cline-any cline-yes">2x</span>
-<span class="cline-any cline-yes">2x</span>
+<a name='L292'></a><a href='#L292'>292</a>
+<a name='L293'></a><a href='#L293'>293</a>
+<a name='L294'></a><a href='#L294'>294</a>
+<a name='L295'></a><a href='#L295'>295</a>
+<a name='L296'></a><a href='#L296'>296</a>
+<a name='L297'></a><a href='#L297'>297</a>
+<a name='L298'></a><a href='#L298'>298</a>
+<a name='L299'></a><a href='#L299'>299</a>
+<a name='L300'></a><a href='#L300'>300</a>
+<a name='L301'></a><a href='#L301'>301</a>
+<a name='L302'></a><a href='#L302'>302</a>
+<a name='L303'></a><a href='#L303'>303</a>
+<a name='L304'></a><a href='#L304'>304</a>
+<a name='L305'></a><a href='#L305'>305</a>
+<a name='L306'></a><a href='#L306'>306</a>
+<a name='L307'></a><a href='#L307'>307</a>
+<a name='L308'></a><a href='#L308'>308</a>
+<a name='L309'></a><a href='#L309'>309</a>
+<a name='L310'></a><a href='#L310'>310</a>
+<a name='L311'></a><a href='#L311'>311</a>
+<a name='L312'></a><a href='#L312'>312</a>
+<a name='L313'></a><a href='#L313'>313</a>
+<a name='L314'></a><a href='#L314'>314</a>
+<a name='L315'></a><a href='#L315'>315</a>
+<a name='L316'></a><a href='#L316'>316</a>
+<a name='L317'></a><a href='#L317'>317</a>
+<a name='L318'></a><a href='#L318'>318</a>
+<a name='L319'></a><a href='#L319'>319</a>
+<a name='L320'></a><a href='#L320'>320</a>
+<a name='L321'></a><a href='#L321'>321</a>
+<a name='L322'></a><a href='#L322'>322</a>
+<a name='L323'></a><a href='#L323'>323</a>
+<a name='L324'></a><a href='#L324'>324</a>
+<a name='L325'></a><a href='#L325'>325</a>
+<a name='L326'></a><a href='#L326'>326</a>
+<a name='L327'></a><a href='#L327'>327</a>
+<a name='L328'></a><a href='#L328'>328</a>
+<a name='L329'></a><a href='#L329'>329</a>
+<a name='L330'></a><a href='#L330'>330</a>
+<a name='L331'></a><a href='#L331'>331</a>
+<a name='L332'></a><a href='#L332'>332</a>
+<a name='L333'></a><a href='#L333'>333</a>
+<a name='L334'></a><a href='#L334'>334</a>
+<a name='L335'></a><a href='#L335'>335</a>
+<a name='L336'></a><a href='#L336'>336</a>
+<a name='L337'></a><a href='#L337'>337</a>
+<a name='L338'></a><a href='#L338'>338</a>
+<a name='L339'></a><a href='#L339'>339</a>
+<a name='L340'></a><a href='#L340'>340</a>
+<a name='L341'></a><a href='#L341'>341</a>
+<a name='L342'></a><a href='#L342'>342</a>
+<a name='L343'></a><a href='#L343'>343</a>
+<a name='L344'></a><a href='#L344'>344</a>
+<a name='L345'></a><a href='#L345'>345</a>
+<a name='L346'></a><a href='#L346'>346</a>
+<a name='L347'></a><a href='#L347'>347</a>
+<a name='L348'></a><a href='#L348'>348</a>
+<a name='L349'></a><a href='#L349'>349</a>
+<a name='L350'></a><a href='#L350'>350</a>
+<a name='L351'></a><a href='#L351'>351</a>
+<a name='L352'></a><a href='#L352'>352</a>
+<a name='L353'></a><a href='#L353'>353</a>
+<a name='L354'></a><a href='#L354'>354</a>
+<a name='L355'></a><a href='#L355'>355</a>
+<a name='L356'></a><a href='#L356'>356</a>
+<a name='L357'></a><a href='#L357'>357</a>
+<a name='L358'></a><a href='#L358'>358</a>
+<a name='L359'></a><a href='#L359'>359</a>
+<a name='L360'></a><a href='#L360'>360</a>
+<a name='L361'></a><a href='#L361'>361</a>
+<a name='L362'></a><a href='#L362'>362</a>
+<a name='L363'></a><a href='#L363'>363</a>
+<a name='L364'></a><a href='#L364'>364</a>
+<a name='L365'></a><a href='#L365'>365</a>
+<a name='L366'></a><a href='#L366'>366</a>
+<a name='L367'></a><a href='#L367'>367</a>
+<a name='L368'></a><a href='#L368'>368</a>
+<a name='L369'></a><a href='#L369'>369</a>
+<a name='L370'></a><a href='#L370'>370</a>
+<a name='L371'></a><a href='#L371'>371</a>
+<a name='L372'></a><a href='#L372'>372</a>
+<a name='L373'></a><a href='#L373'>373</a>
+<a name='L374'></a><a href='#L374'>374</a>
+<a name='L375'></a><a href='#L375'>375</a>
+<a name='L376'></a><a href='#L376'>376</a>
+<a name='L377'></a><a href='#L377'>377</a>
+<a name='L378'></a><a href='#L378'>378</a>
+<a name='L379'></a><a href='#L379'>379</a>
+<a name='L380'></a><a href='#L380'>380</a>
+<a name='L381'></a><a href='#L381'>381</a>
+<a name='L382'></a><a href='#L382'>382</a>
+<a name='L383'></a><a href='#L383'>383</a>
+<a name='L384'></a><a href='#L384'>384</a>
+<a name='L385'></a><a href='#L385'>385</a>
+<a name='L386'></a><a href='#L386'>386</a>
+<a name='L387'></a><a href='#L387'>387</a></td><td class="line-coverage quiet"><span class="cline-any cline-yes">1x</span>
+<span class="cline-any cline-yes">1x</span>
+<span class="cline-any cline-yes">1x</span>
+<span class="cline-any cline-yes">1x</span>
+<span class="cline-any cline-yes">1x</span>
+<span class="cline-any cline-yes">1x</span>
+<span class="cline-any cline-yes">1x</span>
+<span class="cline-any cline-yes">1x</span>
+<span class="cline-any cline-yes">1x</span>
+<span class="cline-any cline-yes">1x</span>
+<span class="cline-any cline-yes">1x</span>
+<span class="cline-any cline-yes">1x</span>
+<span class="cline-any cline-yes">1x</span>
+<span class="cline-any cline-yes">1x</span>
+<span class="cline-any cline-yes">1x</span>
+<span class="cline-any cline-yes">1x</span>
+<span class="cline-any cline-yes">1x</span>
 <span class="cline-any cline-yes">2x</span>
 <span class="cline-any cline-yes">2x</span>
 <span class="cline-any cline-yes">2x</span>
@@ -392,201 +486,333 @@
 <span class="cline-any cline-yes">2x</span>
 <span class="cline-any cline-yes">2x</span>
 <span class="cline-any cline-yes">2x</span>
-<span class="cline-any cline-yes">4x</span>
+<span class="cline-any cline-yes">1x</span>
+<span class="cline-any cline-yes">1x</span>
 <span class="cline-any cline-no">&nbsp;</span>
 <span class="cline-any cline-no">&nbsp;</span>
-<span class="cline-any cline-yes">4x</span>
-<span class="cline-any cline-yes">4x</span>
-<span class="cline-any cline-yes">4x</span>
-<span class="cline-any cline-yes">2x</span>
-<span class="cline-any cline-yes">2x</span>
 <span class="cline-any cline-no">&nbsp;</span>
 <span class="cline-any cline-no">&nbsp;</span>
 <span class="cline-any cline-no">&nbsp;</span>
 <span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-yes">1x</span>
+<span class="cline-any cline-yes">1x</span>
 <span class="cline-any cline-no">&nbsp;</span>
 <span class="cline-any cline-no">&nbsp;</span>
-<span class="cline-any cline-yes">2x</span>
-<span class="cline-any cline-yes">2x</span>
-<span class="cline-any cline-yes">4x</span>
 <span class="cline-any cline-no">&nbsp;</span>
 <span class="cline-any cline-no">&nbsp;</span>
-<span class="cline-any cline-yes">4x</span>
-<span class="cline-any cline-yes">4x</span>
-<span class="cline-any cline-yes">4x</span>
-<span class="cline-any cline-yes">2x</span>
-<span class="cline-any cline-yes">2x</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-yes">1x</span>
+<span class="cline-any cline-yes">1x</span>
 <span class="cline-any cline-no">&nbsp;</span>
 <span class="cline-any cline-no">&nbsp;</span>
 <span class="cline-any cline-no">&nbsp;</span>
 <span class="cline-any cline-no">&nbsp;</span>
 <span class="cline-any cline-no">&nbsp;</span>
 <span class="cline-any cline-no">&nbsp;</span>
-<span class="cline-any cline-yes">2x</span>
-<span class="cline-any cline-yes">2x</span>
-<span class="cline-any cline-yes">4x</span>
-<span class="cline-any cline-no">&nbsp;</span>
-<span class="cline-any cline-no">&nbsp;</span>
-<span class="cline-any cline-yes">4x</span>
-<span class="cline-any cline-yes">4x</span>
-<span class="cline-any cline-yes">4x</span>
-<span class="cline-any cline-yes">4x</span>
-<span class="cline-any cline-yes">4x</span>
-<span class="cline-any cline-yes">4x</span>
-<span class="cline-any cline-yes">4x</span>
-<span class="cline-any cline-yes">3x</span>
-<span class="cline-any cline-yes">3x</span>
-<span class="cline-any cline-yes">3x</span>
-<span class="cline-any cline-yes">4x</span>
-<span class="cline-any cline-yes">4x</span>
-<span class="cline-any cline-yes">3x</span>
-<span class="cline-any cline-yes">3x</span>
-<span class="cline-any cline-yes">3x</span>
-<span class="cline-any cline-yes">3x</span>
-<span class="cline-any cline-yes">3x</span>
-<span class="cline-any cline-yes">3x</span>
-<span class="cline-any cline-yes">3x</span>
-<span class="cline-any cline-yes">3x</span>
-<span class="cline-any cline-yes">3x</span>
-<span class="cline-any cline-yes">3x</span>
-<span class="cline-any cline-yes">3x</span>
-<span class="cline-any cline-yes">3x</span>
-<span class="cline-any cline-yes">3x</span>
-<span class="cline-any cline-yes">3x</span>
-<span class="cline-any cline-no">&nbsp;</span>
-<span class="cline-any cline-no">&nbsp;</span>
-<span class="cline-any cline-no">&nbsp;</span>
-<span class="cline-any cline-yes">3x</span>
-<span class="cline-any cline-yes">3x</span>
-<span class="cline-any cline-yes">3x</span>
-<span class="cline-any cline-yes">3x</span>
-<span class="cline-any cline-yes">3x</span>
-<span class="cline-any cline-yes">3x</span>
-<span class="cline-any cline-yes">3x</span>
-<span class="cline-any cline-yes">3x</span>
-<span class="cline-any cline-yes">3x</span>
-<span class="cline-any cline-yes">3x</span>
-<span class="cline-any cline-yes">3x</span>
-<span class="cline-any cline-yes">3x</span>
-<span class="cline-any cline-yes">3x</span>
-<span class="cline-any cline-yes">3x</span>
-<span class="cline-any cline-yes">3x</span>
-<span class="cline-any cline-yes">1x</span>
-<span class="cline-any cline-yes">3x</span>
-<span class="cline-any cline-yes">2x</span>
-<span class="cline-any cline-yes">2x</span>
-<span class="cline-any cline-yes">3x</span>
-<span class="cline-any cline-yes">3x</span>
-<span class="cline-any cline-yes">1x</span>
-<span class="cline-any cline-yes">1x</span>
-<span class="cline-any cline-yes">1x</span>
-<span class="cline-any cline-yes">2x</span>
-<span class="cline-any cline-yes">2x</span>
-<span class="cline-any cline-yes">2x</span>
-<span class="cline-any cline-yes">2x</span>
-<span class="cline-any cline-yes">3x</span>
 <span class="cline-any cline-yes">1x</span>
 <span class="cline-any cline-yes">1x</span>
 <span class="cline-any cline-no">&nbsp;</span>
 <span class="cline-any cline-no">&nbsp;</span>
-<span class="cline-any cline-yes">3x</span>
-<span class="cline-any cline-yes">1x</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
 <span class="cline-any cline-yes">1x</span>
 <span class="cline-any cline-yes">1x</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
 <span class="cline-any cline-yes">1x</span>
 <span class="cline-any cline-yes">1x</span>
-<span class="cline-any cline-yes">3x</span>
-<span class="cline-any cline-yes">2x</span>
-<span class="cline-any cline-yes">2x</span>
-<span class="cline-any cline-yes">4x</span>
-<span class="cline-any cline-yes">2x</span>
-<span class="cline-any cline-yes">2x</span>
-<span class="cline-any cline-yes">243x</span>
 <span class="cline-any cline-no">&nbsp;</span>
 <span class="cline-any cline-no">&nbsp;</span>
-<span class="cline-any cline-yes">243x</span>
-<span class="cline-any cline-yes">243x</span>
-<span class="cline-any cline-yes">243x</span>
-<span class="cline-any cline-yes">243x</span>
-<span class="cline-any cline-yes">243x</span>
-<span class="cline-any cline-yes">243x</span>
-<span class="cline-any cline-yes">243x</span>
-<span class="cline-any cline-yes">243x</span>
-<span class="cline-any cline-yes">243x</span>
-<span class="cline-any cline-yes">243x</span>
-<span class="cline-any cline-yes">243x</span>
-<span class="cline-any cline-yes">243x</span>
-<span class="cline-any cline-yes">10x</span>
-<span class="cline-any cline-yes">10x</span>
-<span class="cline-any cline-yes">10x</span>
-<span class="cline-any cline-yes">243x</span>
-<span class="cline-any cline-yes">243x</span>
-<span class="cline-any cline-yes">5x</span>
-<span class="cline-any cline-yes">5x</span>
-<span class="cline-any cline-yes">5x</span>
-<span class="cline-any cline-yes">243x</span>
-<span class="cline-any cline-yes">243x</span>
 <span class="cline-any cline-no">&nbsp;</span>
 <span class="cline-any cline-no">&nbsp;</span>
 <span class="cline-any cline-no">&nbsp;</span>
-<span class="cline-any cline-yes">243x</span>
-<span class="cline-any cline-yes">243x</span>
-<span class="cline-any cline-yes">14x</span>
-<span class="cline-any cline-yes">14x</span>
-<span class="cline-any cline-yes">14x</span>
-<span class="cline-any cline-yes">14x</span>
-<span class="cline-any cline-yes">14x</span>
-<span class="cline-any cline-yes">243x</span>
-<span class="cline-any cline-yes">243x</span>
-<span class="cline-any cline-yes">243x</span>
-<span class="cline-any cline-yes">10x</span>
-<span class="cline-any cline-yes">10x</span>
-<span class="cline-any cline-yes">10x</span>
-<span class="cline-any cline-yes">10x</span>
-<span class="cline-any cline-yes">10x</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
 <span class="cline-any cline-yes">1x</span>
 <span class="cline-any cline-yes">1x</span>
 <span class="cline-any cline-yes">1x</span>
 <span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
 <span class="cline-any cline-yes">1x</span>
 <span class="cline-any cline-yes">1x</span>
 <span class="cline-any cline-yes">1x</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
 <span class="cline-any cline-yes">1x</span>
-<span class="cline-any cline-yes">10x</span>
-<span class="cline-any cline-yes">10x</span>
-<span class="cline-any cline-yes">10x</span>
-<span class="cline-any cline-yes">4x</span>
-<span class="cline-any cline-yes">10x</span>
-<span class="cline-any cline-yes">10x</span>
-<span class="cline-any cline-yes">10x</span>
 <span class="cline-any cline-yes">1x</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
 <span class="cline-any cline-yes">1x</span>
 <span class="cline-any cline-yes">1x</span>
-<span class="cline-any cline-yes">9x</span>
-<span class="cline-any cline-yes">10x</span>
-<span class="cline-any cline-yes">5x</span>
-<span class="cline-any cline-yes">5x</span>
-<span class="cline-any cline-yes">5x</span>
-<span class="cline-any cline-yes">5x</span>
-<span class="cline-any cline-yes">5x</span>
-<span class="cline-any cline-yes">3x</span>
-<span class="cline-any cline-yes">3x</span>
-<span class="cline-any cline-yes">3x</span>
 <span class="cline-any cline-no">&nbsp;</span>
 <span class="cline-any cline-no">&nbsp;</span>
 <span class="cline-any cline-no">&nbsp;</span>
-<span class="cline-any cline-yes">5x</span>
-<span class="cline-any cline-yes">2x</span>
-<span class="cline-any cline-yes">2x</span>
-<span class="cline-any cline-yes">2x</span>
-<span class="cline-any cline-yes">2x</span>
-<span class="cline-any cline-yes">2x</span>
-<span class="cline-any cline-yes">2x</span>
-<span class="cline-any cline-yes">2x</span>
-<span class="cline-any cline-yes">2x</span>
-<span class="cline-any cline-yes">2x</span>
-<span class="cline-any cline-yes">2x</span>
-<span class="cline-any cline-yes">2x</span>
 <span class="cline-any cline-no">&nbsp;</span>
 <span class="cline-any cline-no">&nbsp;</span>
 <span class="cline-any cline-no">&nbsp;</span>
@@ -594,57 +820,21 @@
 <span class="cline-any cline-no">&nbsp;</span>
 <span class="cline-any cline-no">&nbsp;</span>
 <span class="cline-any cline-no">&nbsp;</span>
-<span class="cline-any cline-yes">2x</span>
-<span class="cline-any cline-yes">5x</span>
-<span class="cline-any cline-yes">5x</span>
-<span class="cline-any cline-yes">5x</span>
-<span class="cline-any cline-yes">10x</span>
-<span class="cline-any cline-yes">4x</span>
-<span class="cline-any cline-yes">4x</span>
-<span class="cline-any cline-yes">4x</span>
-<span class="cline-any cline-yes">4x</span>
-<span class="cline-any cline-yes">4x</span>
-<span class="cline-any cline-yes">4x</span>
-<span class="cline-any cline-yes">4x</span>
-<span class="cline-any cline-yes">4x</span>
-<span class="cline-any cline-yes">4x</span>
-<span class="cline-any cline-no">&nbsp;</span>
-<span class="cline-any cline-no">&nbsp;</span>
-<span class="cline-any cline-no">&nbsp;</span>
-<span class="cline-any cline-yes">4x</span>
-<span class="cline-any cline-yes">4x</span>
-<span class="cline-any cline-yes">1x</span>
-<span class="cline-any cline-yes">1x</span>
-<span class="cline-any cline-yes">4x</span>
-<span class="cline-any cline-yes">4x</span>
-<span class="cline-any cline-yes">4x</span>
-<span class="cline-any cline-yes">4x</span>
-<span class="cline-any cline-yes">243x</span>
-<span class="cline-any cline-yes">233x</span>
-<span class="cline-any cline-yes">233x</span>
-<span class="cline-any cline-yes">238x</span>
-<span class="cline-any cline-yes">238x</span>
-<span class="cline-any cline-yes">238x</span>
-<span class="cline-any cline-yes">243x</span>
-<span class="cline-any cline-yes">2x</span>
-<span class="cline-any cline-yes">2x</span>
-<span class="cline-any cline-yes">6x</span>
-<span class="cline-any cline-yes">19x</span>
-<span class="cline-any cline-yes">19x</span>
-<span class="cline-any cline-yes">19x</span>
-<span class="cline-any cline-yes">19x</span>
-<span class="cline-any cline-yes">19x</span>
-<span class="cline-any cline-yes">19x</span>
-<span class="cline-any cline-yes">19x</span>
-<span class="cline-any cline-yes">19x</span>
-<span class="cline-any cline-yes">19x</span>
-<span class="cline-any cline-yes">12x</span>
-<span class="cline-any cline-yes">12x</span>
-<span class="cline-any cline-yes">19x</span>
-<span class="cline-any cline-yes">19x</span>
-<span class="cline-any cline-yes">19x</span>
-<span class="cline-any cline-yes">6x</span>
-<span class="cline-any cline-neutral">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
+<span class="cline-any cline-no">&nbsp;</span>
 <span class="cline-any cline-neutral">&nbsp;</span></td><td class="text"><pre class="prettyprint lang-js">import _ from 'lodash'
 import makeDebug from 'debug'
 import common from 'feathers-hooks-common'
@@ -655,6 +845,7 @@ import {
   hasServiceAbilities, hasResourceAbilities, getQueryForAbilities,
   Roles, RoleNames, countSubjectsForResource
 } from '../../common/permissions.js'
+import { isTagEqual } from '../utils.js'
 &nbsp;
 const { getItems, replaceItems } = common
 const { Forbidden } = errors
@@ -671,7 +862,7 @@ export function createJWT (options = {}) {
     const accessTokens = await Promise.all(items.map(item =&gt; hook.app.getService('authentication').createAccessToken(
       // Provided function can be used to pick or omit properties in JWT payload
       (typeof options.payload === 'function' ? options.payload(user) : {}),
-      // Provided function can be used for custom options depending on the user,
+      // Provided function can be used for custom options cdepending on the user,
       // then we merge with default auth options for global properties like aud, iss, etc.
       _.merge({}, defaults, (typeof options.jwt === 'function' ? options.jwt(user) : options)))
     ))
@@ -682,13 +873,13 @@ export function createJWT (options = {}) {
   }
 }
 &nbsp;
-export function populateSubjects (hook) {
-  if (hook.type !== 'before') <span class="branch-0 cbranch-no" title="branch not covered" >{</span>
+export <span class="fstat-no" title="function not covered" >function populateSubjects (hook) {</span>
+<span class="cstat-no" title="statement not covered" >  if (hook.type !== 'before') {</span>
 <span class="cstat-no" title="statement not covered" >    throw new Error('The \'populateSubjects\' hook should only be used as a \'before\' hook.')</span>
 <span class="cstat-no" title="statement not covered" >  }</span>
-&nbsp;
-  return populateObjects({ serviceField: 'subjectsService', idField: 'subjects', throwOnNotFound: true })(hook)
-}
+<span class="cstat-no" title="statement not covered" ></span>
+<span class="cstat-no" title="statement not covered" >  return populateObjects({ serviceField: 'subjectsService', idField: 'subjects', throwOnNotFound: true })(hook)</span>
+<span class="cstat-no" title="statement not covered" >}</span>
 &nbsp;
 export <span class="fstat-no" title="function not covered" >function unpopulateSubjects (hook) {</span>
 <span class="cstat-no" title="statement not covered" >  if (hook.type !== 'after') {</span>
@@ -698,13 +889,13 @@ export <span class="fstat-no" title="function not covered" >function unpopulateS
 <span class="cstat-no" title="statement not covered" >  return unpopulateObjects({ serviceField: 'subjectsService', idField: 'subjects' })(hook)</span>
 <span class="cstat-no" title="statement not covered" >}</span>
 &nbsp;
-export function populateResource (hook) {
-  if (hook.type !== 'before') <span class="branch-0 cbranch-no" title="branch not covered" >{</span>
+export <span class="fstat-no" title="function not covered" >function populateResource (hook) {</span>
+<span class="cstat-no" title="statement not covered" >  if (hook.type !== 'before') {</span>
 <span class="cstat-no" title="statement not covered" >    throw new Error('The \'populateResource\' hook should only be used as a \'before\' hook.')</span>
 <span class="cstat-no" title="statement not covered" >  }</span>
-&nbsp;
-  return populateObject({ serviceField: 'resourcesService', idField: 'resource', throwOnNotFound: true })(hook)
-}
+<span class="cstat-no" title="statement not covered" ></span>
+<span class="cstat-no" title="statement not covered" >  return populateObject({ serviceField: 'resourcesService', idField: 'resource', throwOnNotFound: true })(hook)</span>
+<span class="cstat-no" title="statement not covered" >}</span>
 &nbsp;
 export <span class="fstat-no" title="function not covered" >function unpopulateResource (hook) {</span>
 <span class="cstat-no" title="statement not covered" >  if (hook.type !== 'after') {</span>
@@ -714,170 +905,168 @@ export <span class="fstat-no" title="function not covered" >function unpopulateR
 <span class="cstat-no" title="statement not covered" >  return unpopulateObject({ serviceField: 'resourcesService', idField: 'resource' })(hook)</span>
 <span class="cstat-no" title="statement not covered" >}</span>
 &nbsp;
-export function preventEscalation (hook) {
-  if (hook.type !== 'before') <span class="branch-0 cbranch-no" title="branch not covered" >{</span>
+export <span class="fstat-no" title="function not covered" >function preventEscalation (hook) {</span>
+<span class="cstat-no" title="statement not covered" >  if (hook.type !== 'before') {</span>
 <span class="cstat-no" title="statement not covered" >    throw new Error('The \'preventEscalation\' hook should only be used as a \'before\' hook.')</span>
 <span class="cstat-no" title="statement not covered" >  }</span>
-&nbsp;
-  const params = hook.params
-  // If called internally we skip authorisation
-  let checkEscalation = _.has(params, 'provider')
-  debug('Escalation check ' + (checkEscalation <span class="branch-0 cbranch-no" title="branch not covered" >? 'enabled' </span>: 'disabled') + ' for provider')
-  // If explicitely asked to perform/skip, override defaults
-  if (_.has(params, 'checkEscalation')) {
-    checkEscalation = params.checkEscalation
-    debug('Escalation check ' + (checkEscalation ? 'forced' <span class="branch-0 cbranch-no" title="branch not covered" >: 'unforced')</span>)
-  }
-&nbsp;
-  if (checkEscalation) {
-    const user = params.user
-    // Make hook usable on remove as well
-    const data = hook.data || {}
-    // Make hook usable with query params as well
-    const query = params.query || {}
-    const scopeName = data.scope || query.scope // Get scope name first
-    // Retrieve the right scope on the user
-    const scope = _.get(user, scopeName, [])
-    // Then the target resource
-    const resource = _.find(scope, resource =&gt; resource._id &amp;&amp; (resource._id.toString() === params.resource._id.toString()))
-    // Then user permission level
-    const permissions = (resource ? resource.permissions <span class="branch-0 cbranch-no" title="branch not covered" >: undefined)</span>
-    const role = (permissions ? Roles[permissions] <span class="branch-0 cbranch-no" title="branch not covered" >: undefined)</span>
-    if (_.isUndefined(role)) <span class="branch-0 cbranch-no" title="branch not covered" >{</span>
+<span class="cstat-no" title="statement not covered" ></span>
+<span class="cstat-no" title="statement not covered" >  const params = hook.params</span>
+<span class="cstat-no" title="statement not covered" >  // If called internally we skip authorisation</span>
+<span class="cstat-no" title="statement not covered" >  let checkEscalation = _.has(params, 'provider')</span>
+<span class="cstat-no" title="statement not covered" >  debug('Escalation check ' + (checkEscalation ? 'enabled' : 'disabled') + ' for provider')</span>
+<span class="cstat-no" title="statement not covered" >  // If explicitely asked to perform/skip, override defaults</span>
+<span class="cstat-no" title="statement not covered" >  if (_.has(params, 'checkEscalation')) {</span>
+<span class="cstat-no" title="statement not covered" >    checkEscalation = params.checkEscalation</span>
+<span class="cstat-no" title="statement not covered" >    debug('Escalation check ' + (checkEscalation ? 'forced' : 'unforced'))</span>
+<span class="cstat-no" title="statement not covered" >  }</span>
+<span class="cstat-no" title="statement not covered" ></span>
+<span class="cstat-no" title="statement not covered" >  if (checkEscalation) {</span>
+<span class="cstat-no" title="statement not covered" >    const user = params.user</span>
+<span class="cstat-no" title="statement not covered" >    // Make hook usable on remove as well</span>
+<span class="cstat-no" title="statement not covered" >    const data = hook.data || {}</span>
+<span class="cstat-no" title="statement not covered" >    // Make hook usable with query params as well</span>
+<span class="cstat-no" title="statement not covered" >    const query = params.query || {}</span>
+<span class="cstat-no" title="statement not covered" >    const scopeName = data.scope || query.scope // Get scope name first</span>
+<span class="cstat-no" title="statement not covered" >    // Retrieve the right scope on the user</span>
+<span class="cstat-no" title="statement not covered" >    const scope = _.get(user, scopeName, [])</span>
+<span class="cstat-no" title="statement not covered" >    // Then the target resource</span>
+<span class="cstat-no" title="statement not covered" >    const resource = _.find(scope, resource =&gt; resource._id &amp;&amp; (resource._id.toString() === params.resource._id.toString()))</span>
+<span class="cstat-no" title="statement not covered" >    // Then user permission level</span>
+<span class="cstat-no" title="statement not covered" >    const permissions = (resource ? resource.permissions : undefined)</span>
+<span class="cstat-no" title="statement not covered" >    const role = (permissions ? Roles[permissions] : undefined)</span>
+<span class="cstat-no" title="statement not covered" >    if (_.isUndefined(role)) {</span>
 <span class="cstat-no" title="statement not covered" >      debug('Role for authorisation not found on user for scope ' + scopeName)</span>
 <span class="cstat-no" title="statement not covered" >      throw new Forbidden('You are not allowed to change authorisation on resource')</span>
 <span class="cstat-no" title="statement not covered" >    }</span>
-&nbsp;
-    // Check if privilege escalation might occur, if so clamp to user permission level
-&nbsp;
-    // Input subjects need to be checked:
-    // - on create you should not be able to change permissions on others having higher permissions than yourself
-    // (e.g. cannot change a owner into a manager when you are a manager)
-    // - on remove you should not be able to remove permissions on others having higher permissions than yourself
-    // (e.g. cannot remove a owner when you are a manager)
-    const subjects = params.subjects.filter(subject =&gt; {
-      const subjectScope = _.get(subject, scopeName, [])
-      const subjectResource = _.find(subjectScope, resource =&gt; resource._id &amp;&amp; (resource._id.toString() === params.resource._id.toString()))
-      const subjectPermissions = (subjectResource ? subjectResource.permissions <span class="branch-0 cbranch-no" title="branch not covered" >: undefined)</span>
-      const subjectRole = (subjectPermissions ? Roles[subjectPermissions] <span class="branch-0 cbranch-no" title="branch not covered" >: undefined)</span>
-      const hasRole = !_.isUndefined(subjectRole)
-      if (hook.method === 'create') {
-        return (!hasRole || (subjectRole &lt;= role)) // The first time no authorisation can be found
-      } else {
-        return (hasRole &amp;&amp; (subjectRole &lt;= role)) // Authorisation must be found on remove
-      }
-    })
-    if (subjects.length &lt; params.subjects.length) {
-      debug(`${(params.subjects.length - subjects.length)} subjects with higher permissions level found for scope ${scopeName}`)
-      throw new Forbidden('You are not allowed to change authorisation on subject(s)')
-    }
-    // Input permissions needs to be checked since:
-    // - you should not be able to give higher permissions than your own ones to others
-    // (e.g. cannot create a owner when you are a manager)
-    let authorisationRole
-    if (data.permissions) {
-      authorisationRole = Roles[data.permissions]
-    } else if (query.permissions) <span class="branch-0 cbranch-no" title="branch not covered" >{</span>
+<span class="cstat-no" title="statement not covered" ></span>
+<span class="cstat-no" title="statement not covered" >    // Check if privilege escalation might occur, if so clamp to user permission level</span>
+<span class="cstat-no" title="statement not covered" ></span>
+<span class="cstat-no" title="statement not covered" >    // Input subjects need to be checked:</span>
+<span class="cstat-no" title="statement not covered" >    // - on create you should not be able to change permissions on others having higher permissions than yourself</span>
+<span class="cstat-no" title="statement not covered" >    // (e.g. cannot change a owner into a manager when you are a manager)</span>
+<span class="cstat-no" title="statement not covered" >    // - on remove you should not be able to remove permissions on others having higher permissions than yourself</span>
+<span class="cstat-no" title="statement not covered" >    // (e.g. cannot remove a owner when you are a manager)</span>
+<span class="cstat-no" title="statement not covered" >    const subjects = params.subjects.filter(subject =&gt; {</span>
+<span class="cstat-no" title="statement not covered" >      const subjectScope = _.get(subject, scopeName, [])</span>
+<span class="cstat-no" title="statement not covered" >      const subjectResource = _.find(subjectScope, resource =&gt; resource._id &amp;&amp; (resource._id.toString() === params.resource._id.toString()))</span>
+<span class="cstat-no" title="statement not covered" >      const subjectPermissions = (subjectResource ? subjectResource.permissions : undefined)</span>
+<span class="cstat-no" title="statement not covered" >      const subjectRole = (subjectPermissions ? Roles[subjectPermissions] : undefined)</span>
+<span class="cstat-no" title="statement not covered" >      const hasRole = !_.isUndefined(subjectRole)</span>
+<span class="cstat-no" title="statement not covered" >      if (hook.method === 'create') {</span>
+<span class="cstat-no" title="statement not covered" >        return (!hasRole || (subjectRole &lt;= role)) // The first time no authorisation can be found</span>
+<span class="cstat-no" title="statement not covered" >      } else {</span>
+<span class="cstat-no" title="statement not covered" >        return (hasRole &amp;&amp; (subjectRole &lt;= role)) // Authorisation must be found on remove</span>
+<span class="cstat-no" title="statement not covered" >      }</span>
+<span class="cstat-no" title="statement not covered" >    })</span>
+<span class="cstat-no" title="statement not covered" >    if (subjects.length &lt; params.subjects.length) {</span>
+<span class="cstat-no" title="statement not covered" >      debug(`${(params.subjects.length - subjects.length)} subjects with higher permissions level found for scope ${scopeName}`)</span>
+<span class="cstat-no" title="statement not covered" >      throw new Forbidden('You are not allowed to change authorisation on subject(s)')</span>
+<span class="cstat-no" title="statement not covered" >    }</span>
+<span class="cstat-no" title="statement not covered" >    // Input permissions needs to be checked since:</span>
+<span class="cstat-no" title="statement not covered" >    // - you should not be able to give higher permissions than your own ones to others</span>
+<span class="cstat-no" title="statement not covered" >    // (e.g. cannot create a owner when you are a manager)</span>
+<span class="cstat-no" title="statement not covered" >    let authorisationRole</span>
+<span class="cstat-no" title="statement not covered" >    if (data.permissions) {</span>
+<span class="cstat-no" title="statement not covered" >      authorisationRole = Roles[data.permissions]</span>
+<span class="cstat-no" title="statement not covered" >    } else if (query.permissions) {</span>
 <span class="cstat-no" title="statement not covered" >      authorisationRole = Roles[query.permissions]</span>
 <span class="cstat-no" title="statement not covered" >    }</span>
-    if (!_.isUndefined(authorisationRole)) {
-      if (authorisationRole &gt; role) {
-        debug('Cannot escalate with higher permissions level for scope ' + scopeName)
-        throw new Forbidden('You are not allowed to change authorisation on resource')
-      }
-    }
-  }
-&nbsp;
-  return hook
-}
+<span class="cstat-no" title="statement not covered" >    if (!_.isUndefined(authorisationRole)) {</span>
+<span class="cstat-no" title="statement not covered" >      if (authorisationRole &gt; role) {</span>
+<span class="cstat-no" title="statement not covered" >        debug('Cannot escalate with higher permissions level for scope ' + scopeName)</span>
+<span class="cstat-no" title="statement not covered" >        throw new Forbidden('You are not allowed to change authorisation on resource')</span>
+<span class="cstat-no" title="statement not covered" >      }</span>
+<span class="cstat-no" title="statement not covered" >    }</span>
+<span class="cstat-no" title="statement not covered" >  }</span>
+<span class="cstat-no" title="statement not covered" ></span>
+<span class="cstat-no" title="statement not covered" >  return hook</span>
+<span class="cstat-no" title="statement not covered" >}</span>
 &nbsp;
-export async function authorise (hook) {
-  if (hook.type !== 'before') <span class="branch-0 cbranch-no" title="branch not covered" >{</span>
+export <span class="fstat-no" title="function not covered" >async function authorise (hook) {</span>
+<span class="cstat-no" title="statement not covered" >  if (hook.type !== 'before') {</span>
 <span class="cstat-no" title="statement not covered" >    throw new Error('The \'authorise\' hook should only be used as a \'before\' hook.')</span>
 <span class="cstat-no" title="statement not covered" >  }</span>
-  const operation = hook.method
-  const resourceType = hook.service.name
-  debug('Provider is', hook.params.provider)
-  if (hook.params.user) debug('User is', hook.params.user)
-  debug('Operation is', operation)
-  if (resourceType) debug('Resource type is', resourceType)
-&nbsp;
-  // If called internally we skip authorisation
-  let checkAuthorisation = _.has(hook.params, 'provider')
-  debug('Access check ' + (checkAuthorisation ? 'enabled' : 'disabled') + ' for provider')
-  // If already checked we skip authorisation
-  if (hook.params.authorised) {
-    debug('Access already granted')
-    checkAuthorisation = false
-  }
-  // We also skip authorisation for built-in Feathers services like authentication
-  if (typeof hook.service.getPath !== 'function') {
-    debug('Access disabled on built-in services')
-    checkAuthorisation = false
-  }
-  // And if the authentication strategy is API key
-  if (_.get(hook, 'params.connection.authentication.strategy') === 'api') <span class="branch-0 cbranch-no" title="branch not covered" >{</span>
+<span class="cstat-no" title="statement not covered" >  const operation = hook.method</span>
+<span class="cstat-no" title="statement not covered" >  const resourceType = hook.service.name</span>
+<span class="cstat-no" title="statement not covered" >  debug('Provider is', hook.params.provider)</span>
+<span class="cstat-no" title="statement not covered" >  if (hook.params.user) debug('User is', hook.params.user)</span>
+<span class="cstat-no" title="statement not covered" >  debug('Operation is', operation)</span>
+<span class="cstat-no" title="statement not covered" >  if (resourceType) debug('Resource type is', resourceType)</span>
+<span class="cstat-no" title="statement not covered" ></span>
+<span class="cstat-no" title="statement not covered" >  // If called internally we skip authorisation</span>
+<span class="cstat-no" title="statement not covered" >  let checkAuthorisation = _.has(hook.params, 'provider')</span>
+<span class="cstat-no" title="statement not covered" >  debug('Access check ' + (checkAuthorisation ? 'enabled' : 'disabled') + ' for provider')</span>
+<span class="cstat-no" title="statement not covered" >  // If already checked we skip authorisation</span>
+<span class="cstat-no" title="statement not covered" >  if (hook.params.authorised) {</span>
+<span class="cstat-no" title="statement not covered" >    debug('Access already granted')</span>
+<span class="cstat-no" title="statement not covered" >    checkAuthorisation = false</span>
+<span class="cstat-no" title="statement not covered" >  }</span>
+<span class="cstat-no" title="statement not covered" >  // We also skip authorisation for built-in Feathers services like authentication</span>
+<span class="cstat-no" title="statement not covered" >  if (typeof hook.service.getPath !== 'function') {</span>
+<span class="cstat-no" title="statement not covered" >    debug('Access disabled on built-in services')</span>
+<span class="cstat-no" title="statement not covered" >    checkAuthorisation = false</span>
+<span class="cstat-no" title="statement not covered" >  }</span>
+<span class="cstat-no" title="statement not covered" >  // And if the authentication strategy is API key</span>
+<span class="cstat-no" title="statement not covered" >  if (_.get(hook, 'params.connection.authentication.strategy') === 'api') {</span>
 <span class="cstat-no" title="statement not covered" >    debug('Access disabled on API keys')</span>
 <span class="cstat-no" title="statement not covered" >    checkAuthorisation = false</span>
 <span class="cstat-no" title="statement not covered" >  }</span>
-  // If explicitely asked to perform/skip, override defaults
-  if (_.has(hook.params, 'checkAuthorisation')) {
-    checkAuthorisation = _.get(hook.params, 'checkAuthorisation')
-    // Bypass authorisation for next hooks otherwise we will loop infinitely
-    delete hook.params.checkAuthorisation
-    debug('Access check ' + (checkAuthorisation ? 'forced' : 'unforced'))
-  }
-&nbsp;
-  const context = hook.service.context
-  if (checkAuthorisation) {
-    // Build ability for user
-    const authorisationService = hook.app.getService('authorisations')
-    let subject = hook.params.user
-    const payload = _.get(hook.params, 'authentication.payload')
-    if (payload) {
-      // If no user we allow for a stateless token with permissions inside, e.g.
-      // token targeting API gateway (sub = keyId) or app used through iframe (appId = keyId)
-      if (!subject <span class="branch-0 cbranch-no" title="branch not covered" >&amp;&amp; (payload.sub || payload.appId))</span> <span class="branch-0 cbranch-no" title="branch not covered" >{</span>
+<span class="cstat-no" title="statement not covered" >  // If explicitely asked to perform/skip, override defaults</span>
+<span class="cstat-no" title="statement not covered" >  if (_.has(hook.params, 'checkAuthorisation')) {</span>
+<span class="cstat-no" title="statement not covered" >    checkAuthorisation = _.get(hook.params, 'checkAuthorisation')</span>
+<span class="cstat-no" title="statement not covered" >    // Bypass authorisation for next hooks otherwise we will loop infinitely</span>
+<span class="cstat-no" title="statement not covered" >    delete hook.params.checkAuthorisation</span>
+<span class="cstat-no" title="statement not covered" >    debug('Access check ' + (checkAuthorisation ? 'forced' : 'unforced'))</span>
+<span class="cstat-no" title="statement not covered" >  }</span>
+<span class="cstat-no" title="statement not covered" ></span>
+<span class="cstat-no" title="statement not covered" >  const context = hook.service.context</span>
+<span class="cstat-no" title="statement not covered" >  if (checkAuthorisation) {</span>
+<span class="cstat-no" title="statement not covered" >    // Build ability for user</span>
+<span class="cstat-no" title="statement not covered" >    const authorisationService = hook.app.getService('authorisations')</span>
+<span class="cstat-no" title="statement not covered" >    // If no user we allow for a stateless token with permissions inside</span>
+<span class="cstat-no" title="statement not covered" >    let subject = hook.params.user</span>
+<span class="cstat-no" title="statement not covered" >    if (!subject) {</span>
+<span class="cstat-no" title="statement not covered" >      const payload = _.get(hook.params, 'authentication.payload')</span>
+<span class="cstat-no" title="statement not covered" >      // Token targeting API gateway (sub = keyId) or app used through iframe (appId = keyId)</span>
+<span class="cstat-no" title="statement not covered" >      if (payload &amp;&amp; (payload.sub || payload.appId)) {</span>
 <span class="cstat-no" title="statement not covered" >        subject = Object.assign({ _id: (payload.sub || payload.appId) }, payload)</span>
-      } else if (subject) { // Otherwise we allow to "extend" user abilities by providing additional information in the token
-        subject = Object.assign(subject, _.omit(payload, ['aud', 'iss', 'exp', 'sub', 'iat', 'jti', 'nbf']))
-      }
-    }
-    const abilities = await authorisationService.getAbilities(subject)
-    hook.params.abilities = abilities
-    if (hook.params.user) debug('User abilities are', abilities.rules)
-    else debug('Stateless abilities are', abilities.rules)
-&nbsp;
-    // Check for access to service fisrt
-    if (!hasServiceAbilities(abilities, hook.service)) {
-      debug('Service access not granted')
-      throw new Forbidden(`You are not allowed to access service ${hook.service.getPath()}`)
-    }
-&nbsp;
-    if (!hook.id) {
-      // In this specific case there is no query to be run,
-      // simply check against the object we'd like to create
-      // Support custom methods as create operation as they have similar signature
-      const DEFAULT_METHODS = ['find', 'get', 'create', 'update', 'patch', 'remove']
-      if ((operation === 'create') || !DEFAULT_METHODS.includes(operation)) {
-        const resource = hook.data
-        debug('Target resource is ', resource)
-        if (!hasResourceAbilities(abilities, operation, resourceType, context, resource)) <span class="branch-0 cbranch-no" title="branch not covered" >{</span>
+<span class="cstat-no" title="statement not covered" >      }</span>
+<span class="cstat-no" title="statement not covered" >    }</span>
+<span class="cstat-no" title="statement not covered" >    const abilities = await authorisationService.getAbilities(subject)</span>
+<span class="cstat-no" title="statement not covered" >    hook.params.abilities = abilities</span>
+<span class="cstat-no" title="statement not covered" >    if (hook.params.user) debug('User abilities are', abilities.rules)</span>
+<span class="cstat-no" title="statement not covered" >    else debug('Stateless abilities are', abilities.rules)</span>
+<span class="cstat-no" title="statement not covered" ></span>
+<span class="cstat-no" title="statement not covered" >    // Check for access to service fisrt</span>
+<span class="cstat-no" title="statement not covered" >    if (!hasServiceAbilities(abilities, hook.service)) {</span>
+<span class="cstat-no" title="statement not covered" >      debug('Service access not granted')</span>
+<span class="cstat-no" title="statement not covered" >      throw new Forbidden(`You are not allowed to access service ${hook.service.getPath()}`)</span>
+<span class="cstat-no" title="statement not covered" >    }</span>
+<span class="cstat-no" title="statement not covered" ></span>
+<span class="cstat-no" title="statement not covered" >    if (!hook.id) {</span>
+<span class="cstat-no" title="statement not covered" >      // In this specific case there is no query to be run,</span>
+<span class="cstat-no" title="statement not covered" >      // simply check against the object we'd like to create</span>
+<span class="cstat-no" title="statement not covered" >      // Support custom methods as create operation as they have similar signature</span>
+<span class="cstat-no" title="statement not covered" >      const DEFAULT_METHODS = ['find', 'get', 'create', 'update', 'patch', 'remove']</span>
+<span class="cstat-no" title="statement not covered" >      if ((operation === 'create') || !DEFAULT_METHODS.includes(operation)) {</span>
+<span class="cstat-no" title="statement not covered" >        const resource = hook.data</span>
+<span class="cstat-no" title="statement not covered" >        debug('Target resource is ', resource)</span>
+<span class="cstat-no" title="statement not covered" >        if (!hasResourceAbilities(abilities, operation, resourceType, context, resource)) {</span>
 <span class="cstat-no" title="statement not covered" >          debug('Resource access not granted')</span>
 <span class="cstat-no" title="statement not covered" >          throw new Forbidden(`You are not allowed to perform ${operation} operation on ${resourceType}`)</span>
 <span class="cstat-no" title="statement not covered" >        }</span>
-      } else {
-        // When we find/update/patch/remove multiple items this ensures that
-        // only the ones authorised by constraints on the resources will be fetched
-        // This avoid fetching all first then check it one by one
-        const dbQuery = objectifyIDs(getQueryForAbilities(abilities, operation, resourceType))
-        if (dbQuery) {
-          hook.params.query = _.transform(hook.params.query, (result, value, key) =&gt; {
-            if (key === '$or') <span class="branch-0 cbranch-no" title="branch not covered" >result.$and = [{ $or: value }]</span>
-            else result[key] = value
-          }, {})
-          _.merge(hook.params.query, dbQuery)
-        }<span class="branch-0 cbranch-no" title="branch not covered" > else {</span>
+<span class="cstat-no" title="statement not covered" >      } else {</span>
+<span class="cstat-no" title="statement not covered" >        // When we find/update/patch/remove multiple items this ensures that</span>
+<span class="cstat-no" title="statement not covered" >        // only the ones authorised by constraints on the resources will be fetched</span>
+<span class="cstat-no" title="statement not covered" >        // This avoid fetching all first then check it one by one</span>
+<span class="cstat-no" title="statement not covered" >        const dbQuery = objectifyIDs(getQueryForAbilities(abilities, operation, resourceType))</span>
+<span class="cstat-no" title="statement not covered" >        if (dbQuery) {</span>
+<span class="cstat-no" title="statement not covered" >          hook.params.query = _.transform(hook.params.query, (result, value, key) =&gt; {</span>
+<span class="cstat-no" title="statement not covered" >            if (key === '$or') result.$and = [{ $or: value }]</span>
+<span class="cstat-no" title="statement not covered" >            else result[key] = value</span>
+<span class="cstat-no" title="statement not covered" >          }, {})</span>
+<span class="cstat-no" title="statement not covered" >          _.merge(hook.params.query, dbQuery)</span>
+<span class="cstat-no" title="statement not covered" >        } else {</span>
 <span class="cstat-no" title="statement not covered" >          if (operation === 'find') { // You don't have right to read any items but you have access to the service so the result is empty</span>
 <span class="cstat-no" title="statement not covered" >            hook.result = (!_.get(hook, 'params.paginate', true) ? [] : { total: 0, skip: 0, data: [] })</span>
 <span class="cstat-no" title="statement not covered" >          } else { // You don't have the right to update/patch/remove any items so any tentative should throw</span>
@@ -885,57 +1074,153 @@ export async function authorise (hook) {
 <span class="cstat-no" title="statement not covered" >            throw new Forbidden(`You are not allowed to perform ${operation} operation on ${resourceType}`)</span>
 <span class="cstat-no" title="statement not covered" >          }</span>
 <span class="cstat-no" title="statement not covered" >        }</span>
-      }
-      debug('Resource access granted')
-    // Some specific services might not expose a get function, in this case we cannot check for authorisation
-    // this has to be implemented by the service itself
-    } else if (typeof hook.service.get === 'function') {
-      // In this case (single get/update/patch/remove) we need to fetch the item first
-      // Take care we might have additional query parameters to be "catched" by before hooks,
-      // however at this stage these query parameters might cause get to fail
-      const params = Object.assign({ checkAuthorisation: false }, hook.params)
-      _.unset(params, 'query')
-      const resource = await hook.service.get(hook.id, params)
-      debug('Target resource is', resource)
-      // Then check against the object we'd like to manage
-      if (!hasResourceAbilities(abilities, operation, resourceType, context, resource)) <span class="branch-0 cbranch-no" title="branch not covered" >{</span>
+<span class="cstat-no" title="statement not covered" >      }</span>
+<span class="cstat-no" title="statement not covered" >      debug('Resource access granted')</span>
+<span class="cstat-no" title="statement not covered" >    // Some specific services might not expose a get function, in this case we cannot check for authorisation</span>
+<span class="cstat-no" title="statement not covered" >    // this has to be implemented by the service itself</span>
+<span class="cstat-no" title="statement not covered" >    } else if (typeof hook.service.get === 'function') {</span>
+<span class="cstat-no" title="statement not covered" >      // In this case (single get/update/patch/remove) we need to fetch the item first</span>
+<span class="cstat-no" title="statement not covered" >      // Take care we might have additional query parameters to be "catched" by before hooks,</span>
+<span class="cstat-no" title="statement not covered" >      // however at this stage these query parameters might cause get to fail</span>
+<span class="cstat-no" title="statement not covered" >      const params = Object.assign({ checkAuthorisation: false }, hook.params)</span>
+<span class="cstat-no" title="statement not covered" >      _.unset(params, 'query')</span>
+<span class="cstat-no" title="statement not covered" >      const resource = await hook.service.get(hook.id, params)</span>
+<span class="cstat-no" title="statement not covered" >      debug('Target resource is', resource)</span>
+<span class="cstat-no" title="statement not covered" >      // Then check against the object we'd like to manage</span>
+<span class="cstat-no" title="statement not covered" >      if (!hasResourceAbilities(abilities, operation, resourceType, context, resource)) {</span>
 <span class="cstat-no" title="statement not covered" >        debug('Resource access not granted')</span>
 <span class="cstat-no" title="statement not covered" >        throw new Forbidden(`You are not allowed to perform ${operation} operation on ${resourceType}`)</span>
 <span class="cstat-no" title="statement not covered" >      }</span>
-      // Avoid fetching again the object in this case
-      if (operation === 'get') {
-        hook.result = resource
-      }
-      hook.params.authorised = true
-      debug('Resource access granted')
-      return hook
-    }
-  } else {
-    debug('Authorisation check skipped, access granted')
-  }
-&nbsp;
-  hook.params.authorised = true
-  return hook
-}
+<span class="cstat-no" title="statement not covered" >      // Avoid fetching again the object in this case</span>
+<span class="cstat-no" title="statement not covered" >      if (operation === 'get') {</span>
+<span class="cstat-no" title="statement not covered" >        hook.result = resource</span>
+<span class="cstat-no" title="statement not covered" >      }</span>
+<span class="cstat-no" title="statement not covered" >      hook.params.authorised = true</span>
+<span class="cstat-no" title="statement not covered" >      debug('Resource access granted')</span>
+<span class="cstat-no" title="statement not covered" >      return hook</span>
+<span class="cstat-no" title="statement not covered" >    }</span>
+<span class="cstat-no" title="statement not covered" >  } else {</span>
+<span class="cstat-no" title="statement not covered" >    debug('Authorisation check skipped, access granted')</span>
+<span class="cstat-no" title="statement not covered" >  }</span>
+<span class="cstat-no" title="statement not covered" ></span>
+<span class="cstat-no" title="statement not covered" >  hook.params.authorised = true</span>
+<span class="cstat-no" title="statement not covered" >  return hook</span>
+<span class="cstat-no" title="statement not covered" >}</span>
 &nbsp;
 export function updateAbilities (options = {}) {
   return async function (hook) {
-    const app = hook.app
-    const params = hook.params
-    const authorisationService = app.getService('authorisations')
-    let subject = (options.subjectAsItem ? getItems(hook) <span class="branch-0 cbranch-no" title="branch not covered" >: params.user)</span>
-    // Specific case of authentication result
-    if (subject &amp;&amp; subject.user) <span class="branch-0 cbranch-no" title="branch not covered" >subject = subject.user</span>
-    // We might not have all information required eg on patch to compute new abilities,
-    // in this case we have to fetch the whole subject
-    if (options.fetchSubject) {
-      subject = await app.getService('users').get(subject._id.toString())
-    }
-    await authorisationService.updateAbilities(subject)
-    return hook
-  }
+<span class="cstat-no" title="statement not covered" >    const app = hook.app</span>
+<span class="cstat-no" title="statement not covered" >    const params = hook.params</span>
+<span class="cstat-no" title="statement not covered" >    const authorisationService = app.getService('authorisations')</span>
+<span class="cstat-no" title="statement not covered" >    let subject = (options.subjectAsItem ? getItems(hook) : params.user)</span>
+<span class="cstat-no" title="statement not covered" >    // Specific case of authentication result</span>
+<span class="cstat-no" title="statement not covered" >    if (subject &amp;&amp; subject.user) subject = subject.user</span>
+<span class="cstat-no" title="statement not covered" >    // We might not have all information required eg on patch to compute new abilities,</span>
+<span class="cstat-no" title="statement not covered" >    // in this case we have to fetch the whole subject</span>
+<span class="cstat-no" title="statement not covered" >    if (options.fetchSubject) {</span>
+<span class="cstat-no" title="statement not covered" >      subject = await app.getService('users').get(subject._id.toString())</span>
+<span class="cstat-no" title="statement not covered" >    }</span>
+<span class="cstat-no" title="statement not covered" >    const abilities = await authorisationService.updateAbilities(subject)</span>
+<span class="cstat-no" title="statement not covered" >    debug('Abilities updated on subject', subject, abilities.rules)</span>
+<span class="cstat-no" title="statement not covered" >    return hook</span>
+<span class="cstat-no" title="statement not covered" >  }</span>
 }
 &nbsp;
+export <span class="fstat-no" title="function not covered" >function preventRemovingLastOwner (resourceScope) {</span>
+<span class="cstat-no" title="statement not covered" >  return async function (hook) {</span>
+<span class="cstat-no" title="statement not covered" >    // By pass check ?</span>
+<span class="cstat-no" title="statement not covered" >    if (hook.params.force) return hook</span>
+<span class="cstat-no" title="statement not covered" >    const params = hook.params</span>
+<span class="cstat-no" title="statement not covered" >    const data = hook.data || {}</span>
+<span class="cstat-no" title="statement not covered" >    const query = params.query || {}</span>
+<span class="cstat-no" title="statement not covered" >    const scope = data.scope || query.scope</span>
+<span class="cstat-no" title="statement not covered" >    const grantedPermissions = data.permissions || query.permissions</span>
+<span class="cstat-no" title="statement not covered" >    const grantedRole = (grantedPermissions ? Roles[grantedPermissions] : undefined)</span>
+<span class="cstat-no" title="statement not covered" >    const resource = hook.params.resource</span>
+<span class="cstat-no" title="statement not covered" >    const subjects = hook.params.subjects</span>
+<span class="cstat-no" title="statement not covered" >    const subjectService = hook.params.subjectsService</span>
+<span class="cstat-no" title="statement not covered" >    // On create check if we try to downgrade permissions otherwise let pass through</span>
+<span class="cstat-no" title="statement not covered" >    if (!_.isUndefined(grantedRole) &amp;&amp; (grantedRole === Roles.owner)) return hook</span>
+<span class="cstat-no" title="statement not covered" ></span>
+<span class="cstat-no" title="statement not covered" >    if ((scope === resourceScope) &amp;&amp; resource &amp;&amp; resource._id) {</span>
+<span class="cstat-no" title="statement not covered" >      // Count existing owners</span>
+<span class="cstat-no" title="statement not covered" >      const owners = await countSubjectsForResource(subjectService, resourceScope, resource._id, Roles.owner)</span>
+<span class="cstat-no" title="statement not covered" >      // Now count owners we change/remove permissions on</span>
+<span class="cstat-no" title="statement not covered" >      const removedOwners = subjects.reduce((count, subject) =&gt; {</span>
+<span class="cstat-no" title="statement not covered" >        const resources = _.get(subject, resourceScope, [])</span>
+<span class="cstat-no" title="statement not covered" >        const ownedResource = _.find(resources, { _id: resource._id, permissions: RoleNames[Roles.owner] })</span>
+<span class="cstat-no" title="statement not covered" >        return (ownedResource ? count + 1 : count)</span>
+<span class="cstat-no" title="statement not covered" >      }, 0)</span>
+<span class="cstat-no" title="statement not covered" >      // If none remains stop</span>
+<span class="cstat-no" title="statement not covered" >      if (removedOwners &gt;= owners.total) {</span>
+<span class="cstat-no" title="statement not covered" >        debug('Cannot remove the last owner of resource ', resource)</span>
+<span class="cstat-no" title="statement not covered" >        const resourceName = resource.name ? resource.name : resource._id.toString()</span>
+<span class="cstat-no" title="statement not covered" >        throw new Forbidden('You are not allowed to remove the last owner of resource ' + resourceName, {</span>
+<span class="cstat-no" title="statement not covered" >          translation: {</span>
+<span class="cstat-no" title="statement not covered" >            key: 'CANNOT_REMOVE_LAST_OWNER',</span>
+<span class="cstat-no" title="statement not covered" >            params: { resource: resourceName }</span>
+<span class="cstat-no" title="statement not covered" >          }</span>
+<span class="cstat-no" title="statement not covered" >        })</span>
+<span class="cstat-no" title="statement not covered" >      }</span>
+<span class="cstat-no" title="statement not covered" >    }</span>
+<span class="cstat-no" title="statement not covered" >    return hook</span>
+<span class="cstat-no" title="statement not covered" >  }</span>
+<span class="cstat-no" title="statement not covered" >}</span>
+&nbsp;
+export <span class="fstat-no" title="function not covered" >async function removeOrganisationGroupsAuthorisations (hook) {</span>
+<span class="cstat-no" title="statement not covered" >  const app = hook.app</span>
+<span class="cstat-no" title="statement not covered" >  const authorisationService = app.getService('authorisations')</span>
+<span class="cstat-no" title="statement not covered" >  const org = hook.params.resource</span>
+<span class="cstat-no" title="statement not covered" >  const user = hook.params.user</span>
+<span class="cstat-no" title="statement not covered" >  // Unset membership for the all org groups</span>
+<span class="cstat-no" title="statement not covered" >  const orgGroupService = app.getService('groups', org)</span>
+<span class="cstat-no" title="statement not covered" >  const groups = await orgGroupService.find({ paginate: false })</span>
+<span class="cstat-no" title="statement not covered" >  await Promise.all(groups.map(group =&gt; {</span>
+<span class="cstat-no" title="statement not covered" >  // Unset membership on group for the all org users</span>
+<span class="cstat-no" title="statement not covered" >    return authorisationService.remove(group._id.toString(), {</span>
+<span class="cstat-no" title="statement not covered" >      query: {</span>
+<span class="cstat-no" title="statement not covered" >        scope: 'groups'</span>
+<span class="cstat-no" title="statement not covered" >      },</span>
+<span class="cstat-no" title="statement not covered" >      user,</span>
+<span class="cstat-no" title="statement not covered" >      force: hook.params.force,</span>
+<span class="cstat-no" title="statement not covered" >      // Because we already have resource set it as objects to avoid populating</span>
+<span class="cstat-no" title="statement not covered" >      // Moreover used as an after hook the resource might not already exist anymore</span>
+<span class="cstat-no" title="statement not covered" >      subjects: hook.params.subjects,</span>
+<span class="cstat-no" title="statement not covered" >      subjectsService: hook.params.subjectsService,</span>
+<span class="cstat-no" title="statement not covered" >      resource: group,</span>
+<span class="cstat-no" title="statement not covered" >      resourcesService: orgGroupService</span>
+<span class="cstat-no" title="statement not covered" >    })</span>
+<span class="cstat-no" title="statement not covered" >  }))</span>
+<span class="cstat-no" title="statement not covered" >  debug('Authorisations unset on groups for organisation ' + org._id)</span>
+<span class="cstat-no" title="statement not covered" >  return hook</span>
+<span class="cstat-no" title="statement not covered" >}</span>
+&nbsp;
+export <span class="fstat-no" title="function not covered" >async function removeOrganisationTagsAuthorisations (hook) {</span>
+<span class="cstat-no" title="statement not covered" >  const app = hook.app</span>
+<span class="cstat-no" title="statement not covered" >  const org = hook.params.resource</span>
+<span class="cstat-no" title="statement not covered" >  const subjectService = hook.params.subjectsService</span>
+<span class="cstat-no" title="statement not covered" >  const orgTagsService = app.getService('tags', org)</span>
+<span class="cstat-no" title="statement not covered" >  const subjects = hook.params.subjects || []</span>
+<span class="cstat-no" title="statement not covered" >  if (subjects.length === 0) return hook</span>
+<span class="cstat-no" title="statement not covered" >  // Retrieve org tags</span>
+<span class="cstat-no" title="statement not covered" >  const orgTags = await orgTagsService.find({ paginate: false })</span>
+<span class="cstat-no" title="statement not covered" >  const promises = []</span>
+<span class="cstat-no" title="statement not covered" >  subjects.forEach(subject =&gt; {</span>
+<span class="cstat-no" title="statement not covered" >    const tags = subject.tags || []</span>
+<span class="cstat-no" title="statement not covered" >    // Find tags from org</span>
+<span class="cstat-no" title="statement not covered" >    const fromOrg = _.intersectionWith(tags, orgTags, isTagEqual)</span>
+<span class="cstat-no" title="statement not covered" >    // Clear removed tags</span>
+<span class="cstat-no" title="statement not covered" >    const notFromOrg = _.differenceWith(tags, orgTags, isTagEqual)</span>
+<span class="cstat-no" title="statement not covered" >    // Update subject if required</span>
+<span class="cstat-no" title="statement not covered" >    if (fromOrg.length &gt; 0) {</span>
+<span class="cstat-no" title="statement not covered" >      promises.push(subjectService.patch(subject._id.toString(), { tags: notFromOrg }))</span>
+<span class="cstat-no" title="statement not covered" >    }</span>
+<span class="cstat-no" title="statement not covered" >  })</span>
+<span class="cstat-no" title="statement not covered" >  // Perform subject updates in parallel</span>
+<span class="cstat-no" title="statement not covered" >  await Promise.all(promises)</span>
+<span class="cstat-no" title="statement not covered" >  debug(`Tags unset on ${promises.length} subjects for organisation ` + org._id)</span>
+<span class="cstat-no" title="statement not covered" >  return hook</span>
+<span class="cstat-no" title="statement not covered" >}</span>
 &nbsp;</pre></td></tr></table></pre>
 
                 <div class='push'></div><!-- for sticky footer -->
@@ -943,7 +1228,7 @@ export function updateAbilities (options = {}) {
             <div class='footer quiet pad2 space-top1 center small'>
                 Code coverage generated by
                 <a href="https://istanbul.js.org/" target="_blank" rel="noopener noreferrer">istanbul</a>
-                at 2025-07-24T10:00:20.508Z
+                at 2024-08-13T10:02:04.872Z
             </div>
         <script src="../../../prettify.js"></script>
         <script>