if (!user.admin && user._id.toString() !== id) {
    res.status(UNAUTHORIZED).json({ success: false, message: 'Request denied' });
    return;
  }