router.delete('/:id', auth.hasRole('admin'), controller.destroy);
router.get('/me', auth.isAuthenticated(), controller.me);
router.put('/me', auth.isAuthenticated(), controller.updateMe);
-router.put('/:id/password', auth.isAuthenticated(), controller.changePassword);
-router.get('/:id', auth.isAuthenticated(), controller.show);
+router.put('/password', auth.isAuthenticated(), controller.changePassword);
+router.get('/:id', auth.hasRole('admin'), controller.show);
router.post('/:id', auth.hasRole('admin'), controller.update);
-router.post('/', controller.create);
+router.post('/', auth.hasRole('admin'), controller.create);
module.exports = router;