From 08fc42474a6785df6c866ee83af617e9026fcb2c Mon Sep 17 00:00:00 2001
From: Simon Schick <SimonSimCity@gmail.com>
Date: Thu, 14 Nov 2019 12:13:20 +0400
Subject: [PATCH] Fixed examples and updated the readme

---
 History.md                                    |  17 +-
 README.md                                     | 111 ++++++------
 examples/flow-router-advanced/.meteor/release |   2 +-
 .../flow-router-advanced/.meteor/versions     | 163 ++++++++++--------
 .../main/server/startup/publish.js            |   8 +
 .../manageUsers/server/manageUsers.js         |   5 +-
 .../flow-router-advanced/package-lock.json    |  20 +++
 examples/flow-router-advanced/package.json    |   6 +
 examples/flow-router/.meteor/release          |   2 +-
 examples/flow-router/.meteor/versions         | 163 ++++++++++--------
 examples/flow-router/package-lock.json        |  20 +++
 examples/flow-router/package.json             |   6 +
 examples/flow-router/server/server.js         |  13 +-
 examples/iron-router/.meteor/release          |   2 +-
 examples/iron-router/.meteor/versions         | 163 ++++++++++--------
 examples/iron-router/package-lock.json        |  20 +++
 examples/iron-router/package.json             |   6 +
 examples/iron-router/server/server.js         |  13 +-
 roles/client/uiHelpers.js                     |   4 +-
 19 files changed, 461 insertions(+), 283 deletions(-)
 create mode 100644 examples/flow-router-advanced/main/server/startup/publish.js
 create mode 100644 examples/flow-router-advanced/package-lock.json
 create mode 100644 examples/flow-router-advanced/package.json
 create mode 100644 examples/flow-router/package-lock.json
 create mode 100644 examples/flow-router/package.json
 create mode 100644 examples/iron-router/package-lock.json
 create mode 100644 examples/iron-router/package.json

diff --git a/History.md b/History.md
index c04629d..f15262d 100644
--- a/History.md
+++ b/History.md
@@ -1,3 +1,18 @@
 ## v3.0.0
 
-* ...
+* Role assignments have been moved from the `users` documents to a separate collection called `role-assignment`, available at `Meteor.roleAssignment`.
+* Role assignments are not published automatically. If you want all your role-assignments to be published automatically please include the following code:
+```js
+Meteor.publish(null, function () {
+  if (this.userId) {
+    return Meteor.roleAssignment.find({ 'user._id': this.userId });
+  } else {
+    this.ready()
+  }
+})
+```
+* [BC] The behavior of `getRolesForUser()` used with the option `fullObjects` changed. [In case you need the old behavior ...](https://github.com/Meteor-Community-Packages/meteor-roles/pull/276/commits/41d2ed493852f21cf508b5b0b76e4f8a09ae8f5c#diff-b2ab7f7879884835e55802c6a35ee27e)
+* Added option `anyScope` to `removeUsersFromRoles()`
+* Add option `onlyScoped` to `getRolesForUser()` to allow limiting the result to only scoped permissions
+* All functions (excepted for those listed above) work with 2.x arguments, but in 3.x accept extra arguments and/or options.
+* Details and reasoning can be found in [#276](https://github.com/Meteor-Community-Packages/meteor-roles/pull/276)
diff --git a/README.md b/README.md
index 1dfb8b0..8acc567 100644
--- a/README.md
+++ b/README.md
@@ -45,6 +45,7 @@ Thanks to:
   * [@nickmoylan](https://github.com/nickmoylan)
   * [@mcrider](https://github.com/mcrider)
   * [@alanning](https://github.com/alanning)
+  * [@simonsimcity](https://github.com/simonsimcity)
 
 <br />
 
@@ -53,10 +54,9 @@ Thanks to:
 ### Authorization
 
 This package lets you attach roles to a user which you can then check against later when deciding whether to grant
-access to Meteor methods or publish data.  The core concept is very simple, essentially you are attaching roles
-to a user object and then checking for the existence of those roles later. In some sense, it is very similar to
-tags on blog posts. This package provides helper methods to make the process of adding, removing, and verifying
-those roles easier.
+access to Meteor methods or publish data. The core concept is very simple, essentially you are creating an assignment
+of roles to a user and then checking for the existence of those roles later. This package provides helper methods
+to make the process of adding, removing, and verifying those roles easier.
 
 <br />
 
@@ -71,10 +71,10 @@ as, `view-secrets`, `users.view`, or `users.manage`.  Often, more granular is ac
 able to handle all those pesky edge cases that come up in real-life usage without creating a ton of higher-level
 `roles`.  With the `roles` package, it's all just a role object.
 
-Roles can be put into a **hierarchy**.  
+Roles can be put into a **hierarchy**.
 Roles can have multiple parents and can be children (subroles) of multiple roles.
-If a parent role is set to the user, all its descendants are also applying. 
-You can use this to create "super roles" aggregating permissions all the way through the bottom of the tree.  
+If a parent role is set to the user, all its descendants are also applying.
+You can use this to create "super roles" aggregating permissions all the way through the bottom of the tree.
 For example, you could name two top-level roles `user` and `admin` and then you could use your second-level roles as permissions and name them `USERS_VIEW`, `POST_EDIT`, and similar.
 Then you could set `admin` role as parent role for `USERS_VIEW` and `POST_EDIT`, while `user` would be parent
 only of the `POST_EDIT` role. You can then assign `user` and `admin` roles to your users. And if you need to
@@ -96,12 +96,11 @@ Roles.addRolesToParent('POST_EDIT', 'user');
 <a id="roles-scopes" name="roles-scopes"></a>
 ### What are "scopes"?
 
-Sometimes it is useful to let a user have independent sets of roles.  The `roles` package calls these independent
+Sometimes it is useful to let a user have independent sets of roles. The `roles` package calls these independent
 sets "scopes" for lack of a better term. You can use them to represent various communities inside of your
 application. Or maybe your application supports [multiple tenants](https://en.wikipedia.org/wiki/Multitenancy).
 You can put each of those tenants into their own scope. Alternatively, you can use scopes to represent
-various resources you have. But if you really need per-document permissions, if might be that storing permissions
-with documents is a better approach (than one takes by this package, where roles are stored with users).
+various resources you have.
 
 Users can have both scope roles assigned, and global roles. Global roles are in effect for all scopes.
 But scopes are independent from each other. Users can have one set of roles in scope A and another set
@@ -135,27 +134,37 @@ if (Roles.userIsInRole(joesUserId, ['manage-team', 'super-admin'], 'real-madrid.
 <a id="roles-changes" name="roles-changes"></a>
 ### Changes to default Meteor behavior
 
-  1. User entries in the `Meteor.users` collection gain a new field named `roles` corresponding to the user's roles.
-  2. A new collection `Meteor.roles` contains a global list of defined role names.
-  3. The currently logged-in user's `roles` field is automatically published to the client.
-  4. All existing roles are automatically published to the client.
+  1. A new collection `Meteor.roleAssignment` contains the information which role has been assigned to which user.
+  1. A new collection `Meteor.roles` contains a global list of defined role names.
+  1. All existing roles are automatically published to the client.
 
 <br />
 
 <a id="roles-installing" name="roles-installing"></a>
 ### Installing
 
-1. Add one of the built-in accounts packages so the `Meteor.users` collection exists.  From a command prompt:
+1. Add one of the built-in accounts packages so the `Meteor.users` collection exists. From a command prompt:
     ```bash
     meteor add accounts-password
     ```
 
-3. Add this package to your project.  From a command prompt:
+1. Add this package to your project. From a command prompt:
     ```bash
     meteor add alanning:roles
     ```
 
-4. Run your application:
+1. Publish the role assignments you need to the client:
+    ```js
+    Meteor.publish(null, function () {
+      if (this.userId) {
+        return Meteor.roleAssignment.find({ 'user._id': this.userId });
+      } else {
+        this.ready()
+      }
+    })
+    ```
+
+1. Run your application:
     ```bash
     meteor
     ```
@@ -163,30 +172,42 @@ if (Roles.userIsInRole(joesUserId, ['manage-team', 'super-admin'], 'real-madrid.
 <br />
 
 <a id="roles-migration" name="roles-migration"></a>
-### Migration to 2.0
+### Migration to 3.0
 
-In meteor-roles 2.0, functions are mostly backwards compatible with 1.0, but roles are stored differently in the database. To migrate the database to new schema, run `Meteor._forwardMigrate()` on the server:
+In meteor-roles 3.0, functions are mostly backwards compatible with 2.0, but roles are stored differently in the database. Please take a backup of the `users` collection before migrating. To migrate the database to the new schema, run `Meteor._forwardMigrate2()` on the server:
 
 ```bash
 meteor shell
-> Package['alanning:roles'].Roles._forwardMigrate()
+> Package['alanning:roles'].Roles._forwardMigrate2()
 ```
 
-#### Changes between 1.0 and 2.0
+In case something fails, there is also a script available for rolling back the changes. But be warned that a backward migration takes a magnitude longer than a foward migration. To migrate the database back to the old schema, run `Meteor._backwardMigrate2()` on the server:
+
+```bash
+meteor shell
+> Package['alanning:roles'].Roles._backwardMigrate2()
+```
 
-Here is the list of important changes between meteor-roles 1.0 and 2.0 to consider when migrating to 2.0:
+#### Changes between 2.0 and 3.0
 
-* New schema for `roles` field and `Meteor.roles` collection.
-* Groups were renamed to scopes.
-* Scopes are always available, if you do not specify a scope, role is seen as a global role.
-* `GLOBAL_GROUP` is deprecated and should not be used anymore (just do not specify a scope, or use `null`).
-* `getGroupsForUser` is deprecated, `getScopesForUser` should be used instead.
-* Functions which modify roles are available both on the client and server side, but should be called on the
-  client side only from inside Meteor methods.
-* `deleteRole` can now delete role even when in use, it is automatically unset from all users.
-* Functions `addRolesToParent` and `removeRolesFromParent` were added.
-* `addUsersToRoles` and `setUserRoles` now require that roles exist and will not create missing roles automatically.
-* All functions work with 1.0 arguments, but in 2.0 accept extra arguments and/or options.
+Here is the list of important changes between meteor-roles 2.0 and 3.0 to consider when migrating to 3.0:
+
+* Role assignments have been moved from the `users` documents to a separate collection called `role-assignment`, available at `Meteor.roleAssignment`.
+* Role assignments are not published automatically. If you want all your role-assignments to be published automatically please include the following code:
+```js
+Meteor.publish(null, function () {
+  if (this.userId) {
+    return Meteor.roleAssignment.find({ 'user._id': this.userId });
+  } else {
+    this.ready()
+  }
+})
+```
+* [BC] The behavior of `getRolesForUser()` used with the option `fullObjects` changed. [In case you need the old behavior ...](https://github.com/Meteor-Community-Packages/meteor-roles/pull/276/commits/41d2ed493852f21cf508b5b0b76e4f8a09ae8f5c#diff-b2ab7f7879884835e55802c6a35ee27e)
+* Added option `anyScope` to `removeUsersFromRoles()`
+* Add option `onlyScoped` to `getRolesForUser()` to allow limiting the result to only scoped permissions
+* All functions (excepted for those listed above) work with 2.x arguments, but in 3.x accept extra arguments and/or options.
+* Details and reasoning can be found in [#276](https://github.com/Meteor-Community-Packages/meteor-roles/pull/276)
 
 <br />
 
@@ -221,7 +242,7 @@ users.forEach(function (user) {
     profile: { name: user.name }
   });
 
-  if (user.roles.length > 0) {
+  if (Meteor.roleAssignment.find({ 'user._id': id }).count() === 0) {
     user.roles.forEach(function (role) {
       Roles.createRole(role, {unlessExists: true});
     });
@@ -346,12 +367,13 @@ Meteor.methods({
 
 -- **Client** --
 
-Client javascript has access to all the same Roles functions as the server with the addition of a `isInRole`
-handlebars helper which is automatically registered by the Roles package.
+Client javascript doese not by default have access to all the same Roles functions as the server unless you publish
+these role-assignments. In addition, Blaze will have the addition of a `isInRole` handlebars helper which is
+automatically registered by the Roles package.
 
 As with all Meteor applications, client-side checks are a convenience, rather than a true security implementation 
-since Meteor bundles the same client-side code to all users.  Providing the Roles functions client-side also allows
-for latency compensation during Meteor method calls.  Roles functions which modify the database should not be
+since Meteor bundles the same client-side code to all users. Providing the Roles functions client-side also allows
+for latency compensation during Meteor method calls. Roles functions which modify the database should not be
 called directly, but inside the Meteor methods.
 
 NOTE: Any sensitive data needs to be controlled server-side to prevent unwanted disclosure. To be clear, Meteor sends
@@ -395,7 +417,7 @@ To check for roles when using scopes:
 <a id="roles-docs" name="roles-docs"></a>
 ### API Docs
 
-Online API docs found here: http://alanning.github.io/meteor-roles/classes/Roles.html
+Online API docs found here: https://meteor-community-packages.github.io/meteor-roles/
 
 API docs generated using [YUIDoc](http://yui.github.com/yuidoc/)
 
@@ -438,15 +460,6 @@ View the `flow-router` example app online @  <a href="http://roles.meteor.com/"
 <a id="roles-testing" name="roles-testing"></a>
 ### Tests
 
-
 To run tests:
   1. `cd meteor-roles`
-  2. `meteor test-packages ./`
-  3. point browser at http://localhost:3000/
-
-_NOTE_: If you see an error message regarding **"The package named roles does not exist"** that means you are either:
-  a) in the wrong directory or 
-  b) forgot the './' in step 2.  
-
-Step 2 needs to be run in the main 'meteor-roles' directory and the './' is needed because otherwise Meteor
-expects to be in a Meteor app directory.
+  2. `npm run test`
diff --git a/examples/flow-router-advanced/.meteor/release b/examples/flow-router-advanced/.meteor/release
index 3a05e0a..97064e1 100644
--- a/examples/flow-router-advanced/.meteor/release
+++ b/examples/flow-router-advanced/.meteor/release
@@ -1 +1 @@
-METEOR@1.2.1
+METEOR@1.8.1
diff --git a/examples/flow-router-advanced/.meteor/versions b/examples/flow-router-advanced/.meteor/versions
index 06b0c5f..df592bd 100644
--- a/examples/flow-router-advanced/.meteor/versions
+++ b/examples/flow-router-advanced/.meteor/versions
@@ -1,84 +1,97 @@
-accounts-base@1.2.2
-accounts-password@1.1.4
-accounts-ui@1.1.6
-accounts-ui-unstyled@1.1.8
-alanning:roles@1.2.14
+accounts-base@1.4.3
+accounts-password@1.5.1
+accounts-ui@1.3.1
+accounts-ui-unstyled@1.4.2
+alanning:roles@3.0.0
 alanning:trace@0.0.2
-autoupdate@1.2.4
-babel-compiler@5.8.24_1
-babel-runtime@0.1.4
-base64@1.0.4
-binary-heap@1.0.4
-blaze@2.1.3
+allow-deny@1.1.0
+autoupdate@1.6.0
+babel-compiler@7.3.4
+babel-runtime@1.3.0
+base64@1.0.11
+binary-heap@1.0.11
+blaze@2.3.3
 blaze-html-templates@1.0.1
-blaze-tools@1.0.4
-boilerplate-generator@1.0.4
+blaze-tools@1.0.10
+boilerplate-generator@1.6.0
 bootstrap@1.0.1
-caching-compiler@1.0.0
-caching-html-compiler@1.0.2
-callback-hook@1.0.4
-check@1.1.0
+caching-compiler@1.2.1
+caching-html-compiler@1.0.6
+callback-hook@1.1.0
+check@1.3.1
 coffeescript@1.0.11
 cosmos:browserify@0.9.3
-ddp@1.2.2
-ddp-client@1.2.1
-ddp-common@1.2.2
-ddp-rate-limiter@1.0.0
-ddp-server@1.2.2
-deps@1.0.9
-diff-sequence@1.0.1
-ecmascript@0.1.6
-ecmascript-runtime@0.2.6
-ejson@1.0.7
-email@1.0.8
-fastclick@1.0.7
-geojson-utils@1.0.4
-hot-code-push@1.0.0
-html-tools@1.0.5
-htmljs@1.0.5
-http@1.1.1
-id-map@1.0.4
-jquery@1.11.4
+ddp@1.4.0
+ddp-client@2.3.3
+ddp-common@1.4.0
+ddp-rate-limiter@1.0.7
+ddp-server@2.3.0
+deps@1.0.12
+diff-sequence@1.1.1
+dynamic-import@0.5.1
+ecmascript@0.12.4
+ecmascript-runtime@0.7.0
+ecmascript-runtime-client@0.8.0
+ecmascript-runtime-server@0.7.1
+ejson@1.1.0
+email@1.2.3
+es5-shim@4.8.0
+fetch@0.1.1
+geojson-utils@1.0.10
+hot-code-push@1.0.4
+html-tools@1.0.11
+htmljs@1.0.11
+id-map@1.1.0
+inter-process-messaging@0.1.0
+jquery@1.11.9
 kadira:blaze-layout@2.3.0
 kadira:flow-router@2.10.0
-launch-screen@1.0.4
-less@2.5.1
-livedata@1.0.15
-localstorage@1.0.5
-logging@1.0.8
-meteor@1.1.10
-meteor-base@1.0.1
-minifiers@1.1.7
-minimongo@1.0.10
-mobile-experience@1.0.1
-mobile-status-bar@1.0.6
-mongo@1.1.3
-mongo-id@1.0.1
-npm-bcrypt@0.7.8_2
-npm-mongo@1.4.39_1
-observe-sequence@1.0.7
-ordered-dict@1.0.4
-promise@0.5.1
-random@1.0.5
-rate-limit@1.0.0
-reactive-dict@1.1.3
-reactive-var@1.0.6
-reload@1.1.4
-retry@1.0.4
-routepolicy@1.0.6
-service-configuration@1.0.5
-session@1.1.1
-sha@1.0.4
-spacebars@1.0.7
-spacebars-compiler@1.0.7
+launch-screen@1.1.1
+less@2.8.0
+livedata@1.0.18
+localstorage@1.2.0
+logging@1.1.20
+meteor@1.9.3
+meteor-base@1.4.0
+minifier-css@1.4.2
+minifier-js@2.4.1
+minimongo@1.4.5
+mobile-experience@1.0.5
+mobile-status-bar@1.0.14
+modern-browsers@0.1.4
+modules@0.13.0
+modules-runtime@0.10.3
+mongo@1.6.2
+mongo-decimal@0.1.1
+mongo-dev-server@1.1.0
+mongo-id@1.0.7
+npm-bcrypt@0.9.3
+npm-mongo@3.1.2
+observe-sequence@1.0.16
+ordered-dict@1.1.0
+promise@0.11.2
+random@1.1.0
+rate-limit@1.0.9
+reactive-dict@1.3.0
+reactive-var@1.0.11
+reload@1.3.0
+retry@1.1.0
+routepolicy@1.1.0
+service-configuration@1.0.11
+session@1.2.0
+sha@1.0.9
+socket-stream-client@0.2.2
+spacebars@1.0.12
+spacebars-compiler@1.1.1
 spiderable@1.0.9
-srp@1.0.4
-standard-minifiers@1.0.2
-templating@1.1.5
-templating-tools@1.0.0
-tracker@1.0.9
+srp@1.0.12
+standard-minifier-css@1.5.3
+standard-minifier-js@2.4.1
+standard-minifiers@1.1.0
+templating@1.2.14
+templating-tools@1.1.1
+tracker@1.2.0
 ui@1.0.8
-underscore@1.0.4
-url@1.0.5
-webapp@1.2.3
-webapp-hashing@1.0.5
+underscore@1.0.10
+webapp@1.7.3
+webapp-hashing@1.0.9
diff --git a/examples/flow-router-advanced/main/server/startup/publish.js b/examples/flow-router-advanced/main/server/startup/publish.js
new file mode 100644
index 0000000..6fc34f0
--- /dev/null
+++ b/examples/flow-router-advanced/main/server/startup/publish.js
@@ -0,0 +1,8 @@
+// Publish all role-assignments
+Meteor.publish(null, function () {
+  if (this.userId) {
+    return Meteor.roleAssignment.find({ 'user._id': this.userId });
+  } else {
+    this.ready();
+  }
+});
diff --git a/examples/flow-router-advanced/manageUsers/server/manageUsers.js b/examples/flow-router-advanced/manageUsers/server/manageUsers.js
index f6e0e2a..51eb067 100644
--- a/examples/flow-router-advanced/manageUsers/server/manageUsers.js
+++ b/examples/flow-router-advanced/manageUsers/server/manageUsers.js
@@ -11,7 +11,10 @@ Meteor.publish("users", function () {
 
   if (Roles.userIsInRole(this.userId, ["admin","manage-users"])) {
     console.log('publishing users', this.userId)
-    return Meteor.users.find({}, {fields: {emails: 1, profile: 1, roles: 1}})
+    return [
+      Meteor.roleAssignment.find({}),
+      Meteor.users.find({}, {fields: {emails: 1, profile: 1}})
+    ];
   } 
 
   this.stop()
diff --git a/examples/flow-router-advanced/package-lock.json b/examples/flow-router-advanced/package-lock.json
new file mode 100644
index 0000000..4a99962
--- /dev/null
+++ b/examples/flow-router-advanced/package-lock.json
@@ -0,0 +1,20 @@
+{
+  "name": "flow-router-advanced",
+  "requires": true,
+  "lockfileVersion": 1,
+  "dependencies": {
+    "@babel/runtime": {
+      "version": "7.7.2",
+      "resolved": "https://registry.npmjs.org/@babel/runtime/-/runtime-7.7.2.tgz",
+      "integrity": "sha512-JONRbXbTXc9WQE2mAZd1p0Z3DZ/6vaQIkgYMSTP3KjRCyd7rCZCcfhCyX+YjwcKxcZ82UrxbRD358bpExNgrjw==",
+      "requires": {
+        "regenerator-runtime": "^0.13.2"
+      }
+    },
+    "regenerator-runtime": {
+      "version": "0.13.3",
+      "resolved": "https://registry.npmjs.org/regenerator-runtime/-/regenerator-runtime-0.13.3.tgz",
+      "integrity": "sha512-naKIZz2GQ8JWh///G7L3X6LaQUAMp2lvb1rvwwsURe/VXwD6VMfr+/1NuNw3ag8v2kY1aQ/go5SNn79O9JU7yw=="
+    }
+  }
+}
diff --git a/examples/flow-router-advanced/package.json b/examples/flow-router-advanced/package.json
new file mode 100644
index 0000000..5ac4ef5
--- /dev/null
+++ b/examples/flow-router-advanced/package.json
@@ -0,0 +1,6 @@
+{
+  "name": "flow-router-advanced",
+  "dependencies": {
+    "@babel/runtime": "^7.7.2"
+  }
+}
diff --git a/examples/flow-router/.meteor/release b/examples/flow-router/.meteor/release
index 3a05e0a..97064e1 100644
--- a/examples/flow-router/.meteor/release
+++ b/examples/flow-router/.meteor/release
@@ -1 +1 @@
-METEOR@1.2.1
+METEOR@1.8.1
diff --git a/examples/flow-router/.meteor/versions b/examples/flow-router/.meteor/versions
index 06b0c5f..df592bd 100644
--- a/examples/flow-router/.meteor/versions
+++ b/examples/flow-router/.meteor/versions
@@ -1,84 +1,97 @@
-accounts-base@1.2.2
-accounts-password@1.1.4
-accounts-ui@1.1.6
-accounts-ui-unstyled@1.1.8
-alanning:roles@1.2.14
+accounts-base@1.4.3
+accounts-password@1.5.1
+accounts-ui@1.3.1
+accounts-ui-unstyled@1.4.2
+alanning:roles@3.0.0
 alanning:trace@0.0.2
-autoupdate@1.2.4
-babel-compiler@5.8.24_1
-babel-runtime@0.1.4
-base64@1.0.4
-binary-heap@1.0.4
-blaze@2.1.3
+allow-deny@1.1.0
+autoupdate@1.6.0
+babel-compiler@7.3.4
+babel-runtime@1.3.0
+base64@1.0.11
+binary-heap@1.0.11
+blaze@2.3.3
 blaze-html-templates@1.0.1
-blaze-tools@1.0.4
-boilerplate-generator@1.0.4
+blaze-tools@1.0.10
+boilerplate-generator@1.6.0
 bootstrap@1.0.1
-caching-compiler@1.0.0
-caching-html-compiler@1.0.2
-callback-hook@1.0.4
-check@1.1.0
+caching-compiler@1.2.1
+caching-html-compiler@1.0.6
+callback-hook@1.1.0
+check@1.3.1
 coffeescript@1.0.11
 cosmos:browserify@0.9.3
-ddp@1.2.2
-ddp-client@1.2.1
-ddp-common@1.2.2
-ddp-rate-limiter@1.0.0
-ddp-server@1.2.2
-deps@1.0.9
-diff-sequence@1.0.1
-ecmascript@0.1.6
-ecmascript-runtime@0.2.6
-ejson@1.0.7
-email@1.0.8
-fastclick@1.0.7
-geojson-utils@1.0.4
-hot-code-push@1.0.0
-html-tools@1.0.5
-htmljs@1.0.5
-http@1.1.1
-id-map@1.0.4
-jquery@1.11.4
+ddp@1.4.0
+ddp-client@2.3.3
+ddp-common@1.4.0
+ddp-rate-limiter@1.0.7
+ddp-server@2.3.0
+deps@1.0.12
+diff-sequence@1.1.1
+dynamic-import@0.5.1
+ecmascript@0.12.4
+ecmascript-runtime@0.7.0
+ecmascript-runtime-client@0.8.0
+ecmascript-runtime-server@0.7.1
+ejson@1.1.0
+email@1.2.3
+es5-shim@4.8.0
+fetch@0.1.1
+geojson-utils@1.0.10
+hot-code-push@1.0.4
+html-tools@1.0.11
+htmljs@1.0.11
+id-map@1.1.0
+inter-process-messaging@0.1.0
+jquery@1.11.9
 kadira:blaze-layout@2.3.0
 kadira:flow-router@2.10.0
-launch-screen@1.0.4
-less@2.5.1
-livedata@1.0.15
-localstorage@1.0.5
-logging@1.0.8
-meteor@1.1.10
-meteor-base@1.0.1
-minifiers@1.1.7
-minimongo@1.0.10
-mobile-experience@1.0.1
-mobile-status-bar@1.0.6
-mongo@1.1.3
-mongo-id@1.0.1
-npm-bcrypt@0.7.8_2
-npm-mongo@1.4.39_1
-observe-sequence@1.0.7
-ordered-dict@1.0.4
-promise@0.5.1
-random@1.0.5
-rate-limit@1.0.0
-reactive-dict@1.1.3
-reactive-var@1.0.6
-reload@1.1.4
-retry@1.0.4
-routepolicy@1.0.6
-service-configuration@1.0.5
-session@1.1.1
-sha@1.0.4
-spacebars@1.0.7
-spacebars-compiler@1.0.7
+launch-screen@1.1.1
+less@2.8.0
+livedata@1.0.18
+localstorage@1.2.0
+logging@1.1.20
+meteor@1.9.3
+meteor-base@1.4.0
+minifier-css@1.4.2
+minifier-js@2.4.1
+minimongo@1.4.5
+mobile-experience@1.0.5
+mobile-status-bar@1.0.14
+modern-browsers@0.1.4
+modules@0.13.0
+modules-runtime@0.10.3
+mongo@1.6.2
+mongo-decimal@0.1.1
+mongo-dev-server@1.1.0
+mongo-id@1.0.7
+npm-bcrypt@0.9.3
+npm-mongo@3.1.2
+observe-sequence@1.0.16
+ordered-dict@1.1.0
+promise@0.11.2
+random@1.1.0
+rate-limit@1.0.9
+reactive-dict@1.3.0
+reactive-var@1.0.11
+reload@1.3.0
+retry@1.1.0
+routepolicy@1.1.0
+service-configuration@1.0.11
+session@1.2.0
+sha@1.0.9
+socket-stream-client@0.2.2
+spacebars@1.0.12
+spacebars-compiler@1.1.1
 spiderable@1.0.9
-srp@1.0.4
-standard-minifiers@1.0.2
-templating@1.1.5
-templating-tools@1.0.0
-tracker@1.0.9
+srp@1.0.12
+standard-minifier-css@1.5.3
+standard-minifier-js@2.4.1
+standard-minifiers@1.1.0
+templating@1.2.14
+templating-tools@1.1.1
+tracker@1.2.0
 ui@1.0.8
-underscore@1.0.4
-url@1.0.5
-webapp@1.2.3
-webapp-hashing@1.0.5
+underscore@1.0.10
+webapp@1.7.3
+webapp-hashing@1.0.9
diff --git a/examples/flow-router/package-lock.json b/examples/flow-router/package-lock.json
new file mode 100644
index 0000000..b6bcd6b
--- /dev/null
+++ b/examples/flow-router/package-lock.json
@@ -0,0 +1,20 @@
+{
+  "name": "flow-router",
+  "requires": true,
+  "lockfileVersion": 1,
+  "dependencies": {
+    "@babel/runtime": {
+      "version": "7.7.2",
+      "resolved": "https://registry.npmjs.org/@babel/runtime/-/runtime-7.7.2.tgz",
+      "integrity": "sha512-JONRbXbTXc9WQE2mAZd1p0Z3DZ/6vaQIkgYMSTP3KjRCyd7rCZCcfhCyX+YjwcKxcZ82UrxbRD358bpExNgrjw==",
+      "requires": {
+        "regenerator-runtime": "^0.13.2"
+      }
+    },
+    "regenerator-runtime": {
+      "version": "0.13.3",
+      "resolved": "https://registry.npmjs.org/regenerator-runtime/-/regenerator-runtime-0.13.3.tgz",
+      "integrity": "sha512-naKIZz2GQ8JWh///G7L3X6LaQUAMp2lvb1rvwwsURe/VXwD6VMfr+/1NuNw3ag8v2kY1aQ/go5SNn79O9JU7yw=="
+    }
+  }
+}
diff --git a/examples/flow-router/package.json b/examples/flow-router/package.json
new file mode 100644
index 0000000..d79c6aa
--- /dev/null
+++ b/examples/flow-router/package.json
@@ -0,0 +1,6 @@
+{
+  "name": "flow-router",
+  "dependencies": {
+    "@babel/runtime": "^7.7.2"
+  }
+}
diff --git a/examples/flow-router/server/server.js b/examples/flow-router/server/server.js
index dd853ac..7ad399f 100644
--- a/examples/flow-router/server/server.js
+++ b/examples/flow-router/server/server.js
@@ -81,6 +81,14 @@ Meteor.startup(function () {
 // Publish
 //
 
+// Publish all role-assignments
+Meteor.publish(null, function () {
+  if (this.userId) {
+    return Meteor.roleAssignment.find({ 'user._id': this.userId });
+  } else {
+    this.ready();
+  }
+});
 
 // Authorized users can view secrets
 Meteor.publish("secrets", function () {
@@ -101,7 +109,10 @@ Meteor.publish("users", function () {
 
   if (Roles.userIsInRole(user, ["admin","manage-users"])) {
     console.log('publishing users', this.userId);
-    return Meteor.users.find({}, {fields: {emails: 1, profile: 1, roles: 1}});
+    return [
+      Meteor.roleAssignment.find({}),
+      Meteor.users.find({}, {fields: {emails: 1, profile: 1}})
+    ];
   }
 
   this.stop();
diff --git a/examples/iron-router/.meteor/release b/examples/iron-router/.meteor/release
index 3a05e0a..97064e1 100644
--- a/examples/iron-router/.meteor/release
+++ b/examples/iron-router/.meteor/release
@@ -1 +1 @@
-METEOR@1.2.1
+METEOR@1.8.1
diff --git a/examples/iron-router/.meteor/versions b/examples/iron-router/.meteor/versions
index 3b792d4..2cfb894 100644
--- a/examples/iron-router/.meteor/versions
+++ b/examples/iron-router/.meteor/versions
@@ -1,41 +1,46 @@
-accounts-base@1.2.2
-accounts-password@1.1.4
-accounts-ui@1.1.6
-accounts-ui-unstyled@1.1.8
-alanning:roles@1.2.14
+accounts-base@1.4.3
+accounts-password@1.5.1
+accounts-ui@1.3.1
+accounts-ui-unstyled@1.4.2
+alanning:roles@3.0.0
 alanning:trace@0.0.2
-autoupdate@1.2.4
-babel-compiler@5.8.24_1
-babel-runtime@0.1.4
-base64@1.0.4
-binary-heap@1.0.4
-blaze@2.1.3
+allow-deny@1.1.0
+autoupdate@1.6.0
+babel-compiler@7.3.4
+babel-runtime@1.3.0
+base64@1.0.11
+binary-heap@1.0.11
+blaze@2.3.3
 blaze-html-templates@1.0.1
-blaze-tools@1.0.4
-boilerplate-generator@1.0.4
+blaze-tools@1.0.10
+boilerplate-generator@1.6.0
 bootstrap@1.0.1
-caching-compiler@1.0.0
-caching-html-compiler@1.0.2
-callback-hook@1.0.4
-check@1.1.0
-ddp@1.2.2
-ddp-client@1.2.1
-ddp-common@1.2.2
-ddp-rate-limiter@1.0.0
-ddp-server@1.2.2
-deps@1.0.9
-diff-sequence@1.0.1
-ecmascript@0.1.6
-ecmascript-runtime@0.2.6
-ejson@1.0.7
-email@1.0.8
-fastclick@1.0.7
-geojson-utils@1.0.4
-hot-code-push@1.0.0
-html-tools@1.0.5
-htmljs@1.0.5
-http@1.1.1
-id-map@1.0.4
+caching-compiler@1.2.1
+caching-html-compiler@1.0.6
+callback-hook@1.1.0
+check@1.3.1
+ddp@1.4.0
+ddp-client@2.3.3
+ddp-common@1.4.0
+ddp-rate-limiter@1.0.7
+ddp-server@2.3.0
+deps@1.0.12
+diff-sequence@1.1.1
+dynamic-import@0.5.1
+ecmascript@0.12.4
+ecmascript-runtime@0.7.0
+ecmascript-runtime-client@0.8.0
+ecmascript-runtime-server@0.7.1
+ejson@1.1.0
+email@1.2.3
+es5-shim@4.8.0
+fetch@0.1.1
+geojson-utils@1.0.10
+hot-code-push@1.0.4
+html-tools@1.0.11
+htmljs@1.0.11
+id-map@1.1.0
+inter-process-messaging@0.1.0
 iron:controller@1.0.12
 iron:core@1.0.11
 iron:dynamic-template@1.0.12
@@ -44,45 +49,53 @@ iron:location@1.0.11
 iron:middleware-stack@1.0.11
 iron:router@1.0.12
 iron:url@1.0.11
-jquery@1.11.4
-launch-screen@1.0.4
-less@2.5.1
-livedata@1.0.15
-localstorage@1.0.5
-logging@1.0.8
-meteor@1.1.10
-meteor-base@1.0.1
-minifiers@1.1.7
-minimongo@1.0.10
-mobile-experience@1.0.1
-mobile-status-bar@1.0.6
-mongo@1.1.3
-mongo-id@1.0.1
-npm-bcrypt@0.7.8_2
-npm-mongo@1.4.39_1
-observe-sequence@1.0.7
-ordered-dict@1.0.4
-promise@0.5.1
-random@1.0.5
-rate-limit@1.0.0
-reactive-dict@1.1.3
-reactive-var@1.0.6
-reload@1.1.4
-retry@1.0.4
-routepolicy@1.0.6
-service-configuration@1.0.5
-session@1.1.1
-sha@1.0.4
-spacebars@1.0.7
-spacebars-compiler@1.0.7
+jquery@1.11.9
+launch-screen@1.1.1
+less@2.8.0
+livedata@1.0.18
+localstorage@1.2.0
+logging@1.1.20
+meteor@1.9.3
+meteor-base@1.4.0
+minifier-css@1.4.2
+minifier-js@2.4.1
+minimongo@1.4.5
+mobile-experience@1.0.5
+mobile-status-bar@1.0.14
+modern-browsers@0.1.4
+modules@0.13.0
+modules-runtime@0.10.3
+mongo@1.6.2
+mongo-decimal@0.1.1
+mongo-dev-server@1.1.0
+mongo-id@1.0.7
+npm-bcrypt@0.9.3
+npm-mongo@3.1.2
+observe-sequence@1.0.16
+ordered-dict@1.1.0
+promise@0.11.2
+random@1.1.0
+rate-limit@1.0.9
+reactive-dict@1.3.0
+reactive-var@1.0.11
+reload@1.3.0
+retry@1.1.0
+routepolicy@1.1.0
+service-configuration@1.0.11
+session@1.2.0
+sha@1.0.9
+socket-stream-client@0.2.2
+spacebars@1.0.12
+spacebars-compiler@1.1.1
 spiderable@1.0.9
-srp@1.0.4
-standard-minifiers@1.0.2
-templating@1.1.5
-templating-tools@1.0.0
-tracker@1.0.9
+srp@1.0.12
+standard-minifier-css@1.5.3
+standard-minifier-js@2.4.1
+standard-minifiers@1.1.0
+templating@1.2.14
+templating-tools@1.1.1
+tracker@1.2.0
 ui@1.0.8
-underscore@1.0.4
-url@1.0.5
-webapp@1.2.3
-webapp-hashing@1.0.5
+underscore@1.0.10
+webapp@1.7.3
+webapp-hashing@1.0.9
diff --git a/examples/iron-router/package-lock.json b/examples/iron-router/package-lock.json
new file mode 100644
index 0000000..a6030f1
--- /dev/null
+++ b/examples/iron-router/package-lock.json
@@ -0,0 +1,20 @@
+{
+  "name": "iron-router",
+  "requires": true,
+  "lockfileVersion": 1,
+  "dependencies": {
+    "@babel/runtime": {
+      "version": "7.7.2",
+      "resolved": "https://registry.npmjs.org/@babel/runtime/-/runtime-7.7.2.tgz",
+      "integrity": "sha512-JONRbXbTXc9WQE2mAZd1p0Z3DZ/6vaQIkgYMSTP3KjRCyd7rCZCcfhCyX+YjwcKxcZ82UrxbRD358bpExNgrjw==",
+      "requires": {
+        "regenerator-runtime": "^0.13.2"
+      }
+    },
+    "regenerator-runtime": {
+      "version": "0.13.3",
+      "resolved": "https://registry.npmjs.org/regenerator-runtime/-/regenerator-runtime-0.13.3.tgz",
+      "integrity": "sha512-naKIZz2GQ8JWh///G7L3X6LaQUAMp2lvb1rvwwsURe/VXwD6VMfr+/1NuNw3ag8v2kY1aQ/go5SNn79O9JU7yw=="
+    }
+  }
+}
diff --git a/examples/iron-router/package.json b/examples/iron-router/package.json
new file mode 100644
index 0000000..fe29949
--- /dev/null
+++ b/examples/iron-router/package.json
@@ -0,0 +1,6 @@
+{
+  "name": "iron-router",
+  "dependencies": {
+    "@babel/runtime": "^7.7.2"
+  }
+}
diff --git a/examples/iron-router/server/server.js b/examples/iron-router/server/server.js
index 8df5daa..09bedaf 100644
--- a/examples/iron-router/server/server.js
+++ b/examples/iron-router/server/server.js
@@ -81,6 +81,14 @@ Meteor.startup(function () {
 // Publish
 //
 
+// Publish all role-assignments
+Meteor.publish(null, function () {
+  if (this.userId) {
+    return Meteor.roleAssignment.find({ 'user._id': this.userId });
+  } else {
+    this.ready();
+  }
+});
 
 // Authorized users can view secrets
 Meteor.publish("secrets", function () {
@@ -101,7 +109,10 @@ Meteor.publish("users", function () {
 
   if (Roles.userIsInRole(user, ["admin","manage-users"])) {
     console.log('publishing users', this.userId);
-    return Meteor.users.find({}, {fields: {emails: 1, profile: 1, roles: 1}});
+    return [
+      Meteor.roleAssignment.find({}),
+      Meteor.users.find({}, {fields: {emails: 1, profile: 1}})
+    ];
   }
 
   this.stop();
diff --git a/roles/client/uiHelpers.js b/roles/client/uiHelpers.js
index 618aafa..7ee2991 100644
--- a/roles/client/uiHelpers.js
+++ b/roles/client/uiHelpers.js
@@ -51,10 +51,10 @@ Roles._uiHelpers = {
 
     if (comma !== -1) {
       roles = role.split(',').reduce(function (memo, r) {
-        if (!r || !Roles._trim(r)) {
+        if (!r) {
           return memo
         }
-        memo.push(Roles._trim(r))
+        memo.push(r)
         return memo
       }, [])
     } else {