- Modified privacywrite query with graphLookup:

$graphLookup: {
        from: "projects",
        startWith: "$id_main_project",
        connectFromField: "id_main_project",
        connectToField: "_id",
        as: "ris",
        restrictSearchWithMatch: { $or: [{ privacyread: server_constants.Privacy.all }, { userId: userId }] }
      }
    },
    { $match: { "ris.privacyread": { $exists: true } } },

server/router/projects_router.js

@@ -70,13 +70,16 @@ router.patch('/:id', authenticate, (req, res) => {
   var id = req.params.id;
   var body = _.pick(req.body, tools.allfieldProject());
 
-  tools.mylogshow('PATCH PROJECT: ', id)
+  tools.mylogshow('PATCH PROJECT: ', id);
 
   if (!ObjectID.isValid(id)) {
     tools.mylog('ERROR: id not VALID', id);
     return res.status(404).send();
   }
 
+  // check if you are able to modify this project
+  if (!Project.enabletoModify(String(req.user._id), id))
+    return res.status(404).send();
 
   Project.findByIdAndUpdate(id, { $set: body }, { new: true }).then((project) => {
     tools.mylogshow(' PROJECT TO MODIFY: ', project.descr);
@@ -128,7 +131,8 @@ router.get('/:userId', authenticate, (req, res) => {
   // Extract all the projects of the userId only
   // Project.findAllByUserIdAndCat(userId, category).then((projects) => {
   return Project.getAllProjects(userId).then((objprojects) => {
-    tools.mylog('projects', objprojects.arrproj.length);
+    if (!!objprojects.arrproj)
+      tools.mylog('projects', objprojects.arrproj.length);
 
     return objprojects