if (!self.permissionGranted &&
                    (!self.doc.createdBy || !self.req.user._id.equals(self.doc.createdBy))) {
                    return self.noaccess();
                }