if (context.user.workspace !== workspace && context.user.permissions.indexOf('superuser') === -1) {
      err = new Error('Forbidden');
      err.code = 403;
      return callback(err);
    }