if (!user.admin && user._id.toString() !== id) {
    res.status(UNAUTHORIZED).json({ success: false, message: 'You are not authorised to request this user.' });
    return;
  }