diff --git a/demo/collections/Category.js b/demo/collections/Category.js
index 21b7a049b0..b4a2d0ca7e 100644
--- a/demo/collections/Category.js
+++ b/demo/collections/Category.js
@@ -1,3 +1,5 @@
+const checkRole = require('../policies/checkRole');
+
 module.exports = {
   slug: 'categories',
   labels: {
@@ -6,16 +8,10 @@ module.exports = {
   },
   useAsTitle: 'title',
   policies: {
-    create: (req, res, next) => {
-      return next();
-    },
-    read: () => false,
-    update: (req, res, next) => {
-      return next();
-    },
-    destroy: (req, res, next) => {
-      return next();
-    },
+    create: user => checkRole(['user', 'admin'], user),
+    read: () => true,
+    update: user => checkRole(['user', 'admin'], user),
+    destroy: user => checkRole(['user', 'admin'], user),
   },
   fields: [
     {
diff --git a/demo/collections/Upload.js b/demo/collections/Upload.js
index 082b369bef..27b2f8a828 100644
--- a/demo/collections/Upload.js
+++ b/demo/collections/Upload.js
@@ -1,3 +1,5 @@
+const checkRole = require('../policies/checkRole');
+
 module.exports = {
   slug: 'uploads',
   labels: {
@@ -6,18 +8,10 @@ module.exports = {
   },
   useAsTitle: 'filename',
   policies: {
-    create: (req, res, next) => {
-      return next();
-    },
-    read: (req, res, next) => {
-      return next();
-    },
-    update: (req, res, next) => {
-      return next();
-    },
-    destroy: (req, res, next) => {
-      return next();
-    },
+    create: user => checkRole(['user', 'admin'], user),
+    read: user => checkRole(['user', 'admin'], user),
+    update: user => checkRole(['user', 'admin'], user),
+    destroy: user => checkRole(['user', 'admin'], user),
   },
   fields: [
     {
diff --git a/demo/collections/User.js b/demo/collections/User.js
index b9ac53c635..10b11b6ee7 100644
--- a/demo/collections/User.js
+++ b/demo/collections/User.js
@@ -1,4 +1,5 @@
 const roles = require('../policies/roles');
+const checkRole = require('../policies/checkRole');
 
 module.exports = {
   slug: 'users',
@@ -10,18 +11,10 @@ module.exports = {
   useAsUsername: 'email',
   passwordIndex: 1,
   policies: {
-    create: (req, res, next) => {
-      return next();
-    },
-    read: (req, res, next) => {
-      return next();
-    },
-    update: (req, res, next) => {
-      return next();
-    },
-    destroy: (req, res, next) => {
-      return next();
-    },
+    create: user => checkRole(['admin'], user),
+    read: null,
+    update: user => checkRole(['admin'], user),
+    destroy: user => checkRole(['admin'], user),
   },
   auth: {
     strategy: 'jwt',
diff --git a/demo/globals/Footer.js b/demo/globals/Footer.js
index 7ce1e94af7..883c5b1c67 100644
--- a/demo/globals/Footer.js
+++ b/demo/globals/Footer.js
@@ -1,19 +1,13 @@
+const checkRole = require('../policies/checkRole');
+
 module.exports = {
   slug: 'footer',
   label: 'Footer',
   policies: {
-    create: (req, res, next) => {
-      return next();
-    },
-    read: (req, res, next) => {
-      return next();
-    },
-    update: (req, res, next) => {
-      return next();
-    },
-    destroy: (req, res, next) => {
-      return next();
-    },
+    create: user => checkRole(['admin'], user),
+    read: () => true,
+    update: user => checkRole(['admin'], user),
+    destroy: user => checkRole(['admin'], user),
   },
   fields: [
     {
diff --git a/demo/globals/Header.js b/demo/globals/Header.js
index 2ee63d597f..5300e8df2f 100644
--- a/demo/globals/Header.js
+++ b/demo/globals/Header.js
@@ -1,3 +1,4 @@
+const checkRole = require('../policies/checkRole');
 const Quote = require('../content-blocks/Quote');
 const CallToAction = require('../content-blocks/CallToAction');
 
@@ -5,18 +6,10 @@ module.exports = {
   slug: 'header',
   label: 'Header',
   policies: {
-    create: (req, res, next) => {
-      return next();
-    },
-    read: (req, res, next) => {
-      return next();
-    },
-    update: (req, res, next) => {
-      return next();
-    },
-    destroy: (req, res, next) => {
-      return next();
-    },
+    create: user => checkRole(['admin'], user),
+    read: () => true,
+    update: user => checkRole(['admin'], user),
+    destroy: user => checkRole(['admin'], user),
   },
   fields: [
     {
diff --git a/demo/payload.config.js b/demo/payload.config.js
index 3ac63a6e5b..bd73176b10 100644
--- a/demo/payload.config.js
+++ b/demo/payload.config.js
@@ -35,7 +35,6 @@ module.exports = {
     defaultLocale: 'en',
     fallback: true,
   },
-  // uploads: false, // To disable upload routes otherwise defaults will be use and if set to an object
   uploads: {
     image: {
       imageSizes: [
diff --git a/demo/policies/checkRole.js b/demo/policies/checkRole.js
index 56150227c4..448483fd04 100644
--- a/demo/policies/checkRole.js
+++ b/demo/policies/checkRole.js
@@ -4,13 +4,8 @@
  * @param user
  * @returns {Function}
  */
-
 const checkRole = (roles, user) => {
-  if (user && roles.some(role => role === user.role)) {
-    return true;
-  }
-
-  return false;
+  return !!(user && roles.some(role => role === user.role));
 };
 
 module.exports = checkRole;
diff --git a/src/globals/registerSchema.js b/src/globals/registerSchema.js
index 843ea8de53..3e95b97a9e 100644
--- a/src/globals/registerSchema.js
+++ b/src/globals/registerSchema.js
@@ -1,5 +1,6 @@
 const mongoose = require('mongoose');
 const autopopulate = require('mongoose-autopopulate');
+const mongooseHidden = require('mongoose-hidden');
 const fieldToSchemaMap = require('../mongoose/schema/fieldToSchemaMap');
 const localizationPlugin = require('../localization/plugin');
 
@@ -25,7 +26,8 @@ const registerSchema = (globalConfigs, config) => {
     'globals',
     new mongoose.Schema({ ...globalSchemaGroups, timestamps: false })
       .plugin(localizationPlugin, config.localization)
-      .plugin(autopopulate),
+      .plugin(autopopulate)
+      .plugin(mongooseHidden()),
   );
 
   return globals;
diff --git a/src/index.js b/src/index.js
index d3e8d5c46b..7a47a8e496 100644
--- a/src/index.js
+++ b/src/index.js
@@ -28,7 +28,7 @@ class Payload {
     this.getCollections.bind(this);
     this.getGlobals.bind(this);
 
-    // Setup & inititalization
+    // Setup & initialization
     connectMongoose(options.config.mongoURL);
     registerExpressMiddleware(options);
     initPassport(options.app);
@@ -78,6 +78,7 @@ class Payload {
   }
 
   registerUpload() {
+    // TODO: mongooseHidden on our upload model is hiding all the fields
     const uploadSchema = buildCollectionSchema(
       this.config.upload,
       this.config,
@@ -91,14 +92,15 @@ class Payload {
     });
 
     this.Upload = mongoose.model(this.config.upload.labels.singular, uploadSchema);
+    // TODO: image type hard coded, but in the future we need some way of customizing how uploads are handled in customizable pattern
     this.Upload.discriminator('image', imageSchema);
 
+    registerUploadRoutes(this.Upload, this.config, this.router);
+
     registerCollectionRoutes({
       model: this.Upload,
       config: this.config.upload,
     }, this.router);
-
-    registerUploadRoutes(this.Upload, this.config, this.router);
   }
 
   registerGlobals(globals) {
diff --git a/src/uploads/images/imageResizer.js b/src/uploads/images/imageResizer.js
index c7e5248753..dc03fad608 100644
--- a/src/uploads/images/imageResizer.js
+++ b/src/uploads/images/imageResizer.js
@@ -12,29 +12,34 @@ function getOutputImageName(sourceImage, size) {
 }
 
 module.exports = async function resizeAndSave(config, uploadConfig, file) {
-  const sourceImage = `${config.staticDir}/${file.name}`;
+  /**
+   * Resize images according to image desired width and height and return sizes
+   * @param config
+   * @param uploadConfig
+   * @param file
+   * @returns String[]
+   */
 
-  const outputSizes = [];
+
+  const sourceImage = `${config.staticDir}/${file.name}`;
+  let sizes;
   try {
     const dimensions = await sizeOf(sourceImage);
-    uploadConfig.imageSizes.forEach(async (desiredSize) => {
-      if (desiredSize.width > dimensions.width) {
-        return;
-      }
-      const outputImageName = getOutputImageName(sourceImage, desiredSize);
-      await sharp(sourceImage)
-        .resize(desiredSize.width, desiredSize.height, {
-          position: desiredSize.crop || 'centre',
-        })
-        .toFile(outputImageName);
-      outputSizes.push({
-        name: desiredSize.name,
-        height: desiredSize.height,
-        width: desiredSize.width,
+    sizes = uploadConfig.imageSizes
+      .filter(desiredSize => desiredSize.width < dimensions.width)
+      .map(async (desiredSize) => {
+        const outputImageName = getOutputImageName(sourceImage, desiredSize);
+        await sharp(sourceImage)
+          .resize(desiredSize.width, desiredSize.height, {
+            // would it make sense for this to be set by the uploader?
+            position: desiredSize.crop || 'centre',
+          })
+          .toFile(outputImageName);
+        return { ...desiredSize };
       });
-    });
   } catch (e) {
     console.log('error in resize and save', e.message);
   }
-  return outputSizes;
+
+  return Promise.all(sizes);
 };