closes #5202

src/controllers/accounts/edit.js

@@ -12,6 +12,7 @@ var plugins = require('../../plugins');
 var helpers = require('../helpers');
 var groups = require('../../groups');
 var accountHelpers = require('./helpers');
+var privileges = require('../../privileges');
 
 var editController = {};
 
@@ -118,11 +119,8 @@ editController.uploadPicture = function (req, res, next) {
 		},
 		function (uid, next) {
 			updateUid = uid;
-			if (parseInt(req.uid, 10) === parseInt(uid, 10)) {
-				return next(null, true);
-			}
 
-			user.isAdminOrGlobalMod(req.uid, next);
+			privileges.users.canEdit(req.uid, uid, next);
 		},
 		function (isAllowed, next) {
 			if (!isAllowed) {

src/controllers/accounts/helpers.js

@@ -24,13 +24,16 @@ helpers.getUserDataByUserSlug = function (userslug, callerUID, callback) {
 			}
 
 			async.parallel({
-				userData : function (next) {
+				userData: function (next) {
 					user.getUserData(uid, next);
 				},
-				userSettings : function (next) {
+				isTargetAdmin: function (next) {
+					user.isAdministrator(uid, next);
+				},
+				userSettings: function (next) {
 					user.getSettings(uid, next);
 				},
-				isAdmin : function (next) {
+				isAdmin: function (next) {
 					user.isAdministrator(callerUID, next);
 				},
 				isGlobalModerator: function (next) {
@@ -87,7 +90,7 @@ helpers.getUserDataByUserSlug = function (userslug, callerUID, callback) {
 				userData.fullname = '';
 			}
 
-			if (isAdmin || isGlobalModerator || isSelf) {
+			if (isAdmin || isSelf || (isGlobalModerator && !results.isTargetAdmin)) {
 				userData.ips = results.ips;
 			}
 
@@ -98,16 +101,18 @@ helpers.getUserDataByUserSlug = function (userslug, callerUID, callback) {
 			userData.uid = userData.uid;
 			userData.yourid = callerUID;
 			userData.theirid = userData.uid;
+			userData.isTargetAdmin = results.isTargetAdmin;
 			userData.isAdmin = isAdmin;
 			userData.isGlobalModerator = isGlobalModerator;
 			userData.isModerator = isModerator;
 			userData.isAdminOrGlobalModerator = isAdmin || isGlobalModerator;
 			userData.isAdminOrGlobalModeratorOrModerator = isAdmin || isGlobalModerator || isModerator;
-			userData.canBan = isAdmin || isGlobalModerator;
+			userData.canEdit = isAdmin || (isGlobalModerator && !results.isTargetAdmin);
+			userData.canBan = isAdmin || (isGlobalModerator && !results.isTargetAdmin);
 			userData.canChangePassword = isAdmin || (isSelf && parseInt(meta.config['password:disableEdit'], 10) !== 1);
 			userData.isSelf = isSelf;
 			userData.isFollowing = results.isFollowing;
-			userData.showHidden = isSelf || isAdmin || isGlobalModerator;
+			userData.showHidden = isSelf || isAdmin || (isGlobalModerator && !results.isTargetAdmin);
 			userData.groups = Array.isArray(results.groups) && results.groups.length ? results.groups[0] : [];
 			userData.disableSignatures = meta.config.disableSignatures !== undefined && parseInt(meta.config.disableSignatures, 10) === 1;
 			userData['reputation:disabled'] = parseInt(meta.config['reputation:disabled'], 10) === 1;

src/middleware/user.js

@@ -2,8 +2,10 @@
 
 var async = require('async');
 var nconf =  require('nconf');
+
 var meta = require('../meta');
 var user = require('../user');
+var privileges = require('../privileges');
 
 var controllers = {
 	helpers: require('../controllers/helpers')
@@ -29,11 +31,7 @@ module.exports = function (middleware) {
 				user.getUidByUserslug(req.params.userslug, next);
 			},
 			function (uid, next) {
-				if (parseInt(uid, 10) === req.uid) {
-					return next(null, true);
-				}
-
-				user.isAdminOrGlobalMod(req.uid, next);
+				privileges.users.canEdit(req.uid, uid, next);
 			},
 			function (allowed, next) {
 				if (allowed) {

src/privileges/users.js

@@ -136,4 +136,29 @@ module.exports = function (privileges) {
 		});
 	}
 
+	privileges.users.canEdit = function (callerUid, uid, callback) {
+		if (parseInt(callerUid, 10) === parseInt(uid, 10)) {
+			return process.nextTick(callback, null, true);
+		}
+
+		async.parallel({
+			isAdmin: function (next) {
+				privileges.users.isAdministrator(callerUid, next);
+			},
+			isGlobalMod: function (next) {
+				privileges.users.isGlobalModerator(callerUid, next);
+			},
+			isTargetAdmin: function (next) {
+				privileges.users.isAdministrator(uid, next);
+			}
+		}, function (err, results) {
+			if (err) {
+				return callback(err);
+			}
+			var canEdit = results.isAdmin || (results.isGlobalMod && !results.isTargetAdmin);
+
+			callback(null, canEdit);
+		});
+	};
+
 };

src/socket.io/user.js

@@ -13,6 +13,7 @@ var events = require('../events');
 var emailer = require('../emailer');
 var db = require('../database');
 var apiController = require('../controllers/api');
+var privileges = require('../privileges');
 
 var SocketUser = {};
 
@@ -211,10 +212,7 @@ SocketUser.saveSettings = function (socket, data, callback) {
 
 	async.waterfall([
 		function (next) {
-			if (socket.uid === parseInt(data.uid, 10)) {
-				return next(null, true);
-			}
-			user.isAdminOrGlobalMod(socket.uid, next);
+			privileges.users.canEdit(socket.uid, data.uid, next);
 		},
 		function (allowed, next) {
 			if (!allowed) {
@@ -326,7 +324,7 @@ SocketUser.setModerationNote = function (socket, data, callback) {
 
 	async.waterfall([
 		function (next) {
-			user.isAdminOrGlobalMod(socket.uid, next);
+			privileges.users.canEdit(socket.uid, data.uid, next);
 		},
 		function (allowed, next) {
 			if (allowed) {

src/socket.io/user/profile.js

@@ -5,6 +5,7 @@ var async = require('async');
 var user = require('../../user');
 var meta = require('../../meta');
 var events = require('../../events');
+var privileges = require('../../privileges');
 
 module.exports = function (SocketUser) {
 
@@ -127,18 +128,25 @@ module.exports = function (SocketUser) {
 					return next(new Error('[[error:invalid-data]]'));
 				}
 
-				user.isAdminOrGlobalMod(socket.uid, next);
+				async.parallel({
+					isAdminOrGlobalMod: function (next) {
+						user.isAdminOrGlobalMod(socket.uid, next);
+					},
+					canEdit: function (next) {
+						privileges.users.canEdit(socket.uid, data.uid, next);
+					}
+				}, next);
 			},
-			function (isAdminOrGlobalMod, next) {
-				if (!isAdminOrGlobalMod && socket.uid !== parseInt(data.uid, 10)) {
+			function (results, next) {
+				if (!results.canEdit) {
 					return next(new Error('[[error:no-privileges]]'));
 				}
 
-				if (!isAdminOrGlobalMod && parseInt(meta.config['username:disableEdit'], 10) === 1) {
+				if (!results.isAdminOrGlobalMod && parseInt(meta.config['username:disableEdit'], 10) === 1) {
 					data.username = oldUserData.username;
 				}
 
-				if (!isAdminOrGlobalMod && parseInt(meta.config['email:disableEdit'], 10) === 1) {
+				if (!results.isAdminOrGlobalMod && parseInt(meta.config['email:disableEdit'], 10) === 1) {
 					data.email = oldUserData.email;
 				}