remove role link from user

src/main/java/com/commafeed/backend/dao/UserDAO.java

@@ -6,7 +6,6 @@ import javax.inject.Singleton;
 import org.hibernate.SessionFactory;
 
 import com.commafeed.backend.model.QUser;
-import com.commafeed.backend.model.QUserRole;
 import com.commafeed.backend.model.User;
 
 @Singleton
@@ -20,18 +19,15 @@ public class UserDAO extends GenericDAO<User> {
 	}
 
 	public User findByName(String name) {
-		return newQuery().from(user).where(user.name.equalsIgnoreCase(name)).leftJoin(user.roles, QUserRole.userRole).fetch()
-				.uniqueResult(user);
+		return newQuery().from(user).where(user.name.equalsIgnoreCase(name)).uniqueResult(user);
 	}
 
 	public User findByApiKey(String key) {
-		return newQuery().from(user).where(user.apiKey.equalsIgnoreCase(key)).leftJoin(user.roles, QUserRole.userRole).fetch()
-				.uniqueResult(user);
+		return newQuery().from(user).where(user.apiKey.equalsIgnoreCase(key)).uniqueResult(user);
 	}
 
 	public User findByEmail(String email) {
-		return newQuery().from(user).where(user.email.equalsIgnoreCase(email)).leftJoin(user.roles, QUserRole.userRole).fetch()
-				.uniqueResult(user);
+		return newQuery().from(user).where(user.email.equalsIgnoreCase(email)).uniqueResult(user);
 	}
 
 	public long count() {

src/main/java/com/commafeed/backend/model/User.java

@@ -1,7 +1,6 @@
 package com.commafeed.backend.model;
 
 import java.util.Date;
-import java.util.HashSet;
 import java.util.Set;
 
 import javax.persistence.CascadeType;
@@ -18,8 +17,6 @@ import lombok.Setter;
 
 import org.apache.commons.lang3.time.DateUtils;
 
-import com.commafeed.backend.model.UserRole.Role;
-
 @Entity
 @Table(name = "USERS")
 @SuppressWarnings("serial")
@@ -57,9 +54,6 @@ public class User extends AbstractModel {
 	@Temporal(TemporalType.TIMESTAMP)
 	private Date recoverPasswordTokenDate;
 
-	@OneToMany(mappedBy = "user", cascade = CascadeType.REMOVE)
-	private Set<UserRole> roles = new HashSet<>();
-
 	@OneToMany(mappedBy = "user", fetch = FetchType.LAZY, cascade = CascadeType.REMOVE)
 	private Set<FeedSubscription> subscriptions;
 
@@ -67,10 +61,6 @@ public class User extends AbstractModel {
 	@Temporal(TemporalType.TIMESTAMP)
 	private Date lastFullRefresh;
 
-	public boolean hasRole(Role role) {
-		return getRoles().stream().anyMatch(r -> r.getRole() == role);
-	}
-
 	public boolean shouldRefreshFeedsAt(Date when) {
 		return (lastFullRefresh == null || lastFullRefreshMoreThan30MinutesBefore(when));
 	}

src/main/java/com/commafeed/backend/service/UserService.java

@@ -3,6 +3,7 @@ package com.commafeed.backend.service;
 import java.util.Collection;
 import java.util.Date;
 import java.util.Optional;
+import java.util.Set;
 import java.util.UUID;
 
 import javax.inject.Inject;
@@ -133,4 +134,8 @@ public class UserService {
 		byte[] key = encryptionService.getEncryptedPassword(UUID.randomUUID().toString(), user.getSalt());
 		return DigestUtils.sha1Hex(key);
 	}
+
+	public Set<Role> getRoles(User user) {
+		return userRoleDAO.findRoles(user);
+	}
 }

src/main/java/com/commafeed/frontend/auth/SecurityCheckFactory.java

@@ -1,6 +1,7 @@
 package com.commafeed.frontend.auth;
 
 import java.util.Optional;
+import java.util.Set;
 
 import javax.inject.Inject;
 import javax.servlet.http.HttpServletRequest;
@@ -46,7 +47,8 @@ public class SecurityCheckFactory extends AbstractContainerRequestValueFactory<U
 		}
 
 		if (user.isPresent()) {
-			if (user.get().hasRole(role)) {
+			Set<Role> roles = userService.getRoles(user.get());
+			if (roles.contains(role)) {
 				return user.get();
 			} else {
 				throw new WebApplicationException(Response.status(Response.Status.FORBIDDEN)