How to use the http-errors.Forbidden function in http-errors

ctx.body = {
      map,
    }

    return
  }
  if (visibility && !VISIBILITIES.includes(visibility)) {
    throw new httpErrors.BadRequest('Invalid map visibility: ' + visibility)
  }

  if (visibility === MAP_VISIBILITY_OFFICIAL) {
    throw new httpErrors.Forbidden("Can't change visibility to 'OFFICIAL'")
  }
  if (map.visibility === MAP_VISIBILITY_OFFICIAL) {
    if (!ctx.session.permissions.manageMaps) {
      throw new httpErrors.Forbidden('Not enough permissions')
    }
    if (visibility && visibility !== map.visibility) {
      throw new httpErrors.Forbidden("Can't change visibility of 'OFFICIAL' maps")
    }
  }
  // Admins can update maps of other users (in case the name contains a dirty word, like 'protoss')
  if (map.uploadedBy.id !== ctx.session.userId && !ctx.session.permissions.manageMaps) {
    throw new httpErrors.Forbidden("Can't update maps of other users")
  }

  map = await updateMap(mapId, ctx.session.userId, name, description, visibility)
  ctx.body = {
    map,
  }
}

'select set_config(\'role\', $1, true)',
        [anonymousRole],
      )
    }

    return
  }

  let decoded

  // If `jwt.verify` throws an error, catch it and re-throw it as a 403 error.
  try {
    decoded = jwt.verify(token, secret, { audience: 'postgraphql' })
  }
  catch (error) {
    throw new Forbidden(error.message)
  }

  const role = decoded.role || anonymousRole
  const values = []
  const querySelection = []

  // Make sure to set the local role if it exists.
  if (role) {
    values.push(role)
    querySelection.push('set_config(\'role\', $1, true)')
  }

  // Iterate through all of the JWT decoded values and set a local parameter
  // with that key and value.
  forEach(decoded, (value, key) => {
    values.push(key)

}

  if (visibility === MAP_VISIBILITY_OFFICIAL) {
    throw new httpErrors.Forbidden("Can't change visibility to 'OFFICIAL'")
  }
  if (map.visibility === MAP_VISIBILITY_OFFICIAL) {
    if (!ctx.session.permissions.manageMaps) {
      throw new httpErrors.Forbidden('Not enough permissions')
    }
    if (visibility && visibility !== map.visibility) {
      throw new httpErrors.Forbidden("Can't change visibility of 'OFFICIAL' maps")
    }
  }
  // Admins can update maps of other users (in case the name contains a dirty word, like 'protoss')
  if (map.uploadedBy.id !== ctx.session.userId && !ctx.session.permissions.manageMaps) {
    throw new httpErrors.Forbidden("Can't update maps of other users")
  }

  map = await updateMap(mapId, ctx.session.userId, name, description, visibility)
  ctx.body = {
    map,
  }
}

// Throw error if access token does not contain a `me` value
  if (!accessToken.me) {
    throw new HttpError.Unauthorized('There was a problem with this access token');
  }

  // Normalize publication and token URLs before comparing
  const accessTokenMe = normalizeUrl(accessToken.me);
  const publicationMe = normalizeUrl(opts.me);
  const isAuthenticated = accessTokenMe === publicationMe;

  debug('Verified token URL: %s', accessTokenMe);
  debug('Publication URL: %s', publicationMe);

  // Publication URL does not match that provided by access token
  if (!isAuthenticated) {
    throw new HttpError.Forbidden('User does not have permission to perform request');
  }

  return accessToken;
};

export default function (req, res, next) {
  if ([ 'GET', 'HEAD', 'OPTIONS' ].includes(req.method)) {
    return next();
  }

  let identifier = req.headers.origin || req.header.referer;

  if (identifier) {
    if (!isValidIdentifier(identifier)) {
      let error = new Forbidden('Invalid origin or referer');
      return next(error);
    }
  }

  next();
}

limit = parseInt(limit, 10)
  if (!limit || isNaN(limit) || limit < 0 || limit > 100) {
    limit = 60
  }

  page = parseInt(page, 10)
  if (!page || isNaN(page) || page < 0) {
    page = 0
  }

  if (!VISIBILITIES.includes(visibility)) {
    throw new httpErrors.BadRequest('Invalid map visibility: ' + visibility)
  }

  if (q && !ctx.session.permissions.manageMaps) {
    throw new httpErrors.Forbidden('Not enough permissions')
  }

  let uploadedBy = null
  if (visibility === MAP_VISIBILITY_PRIVATE) {
    uploadedBy = ctx.session.userId
  }

  const favoritedBy = ctx.session.userId
  const [mapsResult, favoritedMaps] = await Promise.all([
    getMaps(visibility, limit, page, favoritedBy, uploadedBy, q),
    visibility === MAP_VISIBILITY_PRIVATE ? getFavoritedMaps(favoritedBy) : Promise.resolve([]),
  ])
  const { total, maps } = mapsResult
  ctx.body = {
    maps,
    favoritedMaps,

return async function(ctx, next) {
    if (!permissions.every(p => ctx.session.permissions[p])) {
      throw new httpErrors.Forbidden('Not enough permissions')
    }

    await next()
  }
}

async function loadUser (_, req, res) {
  const authorized =
    req.user.id === req.params.id ||
    users.hasPermissions(req.user, ['User:read'])
  if (!authorized) throw new httpError.Forbidden()
  const rec = await users.load(req.params.id)
  res.status(200).json(formatRelationshipsOut(rec))
}

async function remove(ctx, next) {
  const { mapId } = ctx.params

  const map = (await getMapInfo([mapId]))[0]
  if (!map) {
    throw new httpErrors.NotFound('Map not found')
  }
  if (
    (map.visibility === MAP_VISIBILITY_OFFICIAL || map.visibility === MAP_VISIBILITY_PUBLIC) &&
    !ctx.session.permissions.manageMaps
  ) {
    throw new httpErrors.Forbidden('Not enough permissions')
  }
  if (map.visibility === MAP_VISIBILITY_PRIVATE && map.uploadedBy.id !== ctx.session.userId) {
    throw new httpErrors.Forbidden("Can't remove maps of other users")
  }

  await removeMap(mapId)
  ctx.status = 204
}

export async function admin(ctx: Context, next) {
  if (!(ctx.session && ctx.session.user)) {
    throw new Unauthorized();
  }

  if (ctx.session.user.getDataValue('role') !== 'admin') {
    throw new Forbidden('Invalid user level');
  }

  return next();
}