fixes admin user picture edit

public/src/forum/accountedit.js

@@ -117,7 +117,7 @@ define(['forum/accountheader', 'uploader'], function(header, uploader) {
 		$('#uploadPictureBtn').on('click', function() {
 
 			$('#change-picture-modal').modal('hide');
-			uploader.open(RELATIVE_PATH + '/user/uploadpicture', {}, config.maximumProfileImageSize, function(imageUrlOnServer) {
+			uploader.open(RELATIVE_PATH + '/user/uploadpicture', {uid: templates.get('theirid')}, config.maximumProfileImageSize, function(imageUrlOnServer) {
 				imageUrlOnServer = imageUrlOnServer + '?' + new Date().getTime();
 
 				$('#user-current-picture').attr('src', imageUrlOnServer);
@@ -220,7 +220,8 @@ define(['forum/accountheader', 'uploader'], function(header, uploader) {
 
 	AccountEdit.changeUserPicture = function(type) {
 		var userData = {
-			type: type
+			type: type,
+			uid: templates.get('theirid')
 		};
 
 		socket.emit('user.changePicture', userData, function(err) {

src/routes/user.js

@@ -165,8 +165,7 @@ var fs = require('fs'),
 					});
 				}
 
-				var convertToPNG = parseInt(meta.config['profile:convertProfileImageToPNG'], 10);
-				var filename = req.user.uid + '-profileimg' + (convertToPNG ? '.png' : extension);
+				var updateUid = req.params.uid;
 
 				async.waterfall([
 					function(next) {
@@ -174,16 +173,41 @@ var fs = require('fs'),
 					},
 					function(next) {
 						image.convertImageToPng(req.files.userPhoto.path, extension, next);
+					},
+					function(next) {
+						try {
+							var params = JSON.parse(req.body.params);
+							if(parseInt(updateUid, 10) === parseInt(params.uid, 10)) {
+								return next();
+							}
+
+							user.isAdministrator(req.user.uid, function(err, isAdmin) {
+								if(err) {
+									return next(err);
+								}
+
+								if(!isAdmin) {
+									return res.json(403, {
+										error: 'Not allowed!'
+									});
+								}
+								updateUid = params.uid;
+								next();
+							});
+						} catch(err) {
+							next(err);
+						}
 					}
 				], function(err, result) {
+
 					function done(err, image) {
 						fs.unlink(req.files.userPhoto.path);
 						if(err) {
 							return res.send({error: err.message});
 						}
 
-						user.setUserField(req.user.uid, 'uploadedpicture', image.url);
-						user.setUserField(req.user.uid, 'picture', image.url);
+						user.setUserField(updateUid, 'uploadedpicture', image.url);
+						user.setUserField(updateUid, 'picture', image.url);
 						res.json({
 							path: image.url
 						});
@@ -194,26 +218,28 @@ var fs = require('fs'),
 					}
 
 					if(plugins.hasListeners('filter:uploadImage')) {
-						plugins.fireHook('filter:uploadImage', req.files.userPhoto, done);
-					} else {
+						return plugins.fireHook('filter:uploadImage', req.files.userPhoto, done);
+					}
 
-						user.getUserField(req.user.uid, 'uploadedpicture', function (err, oldpicture) {
-							if (!oldpicture) {
-								file.saveFileToLocal(filename, req.files.userPhoto.path, done);
-								return;
-							}
+					var convertToPNG = parseInt(meta.config['profile:convertProfileImageToPNG'], 10);
+					var filename = updateUid + '-profileimg' + (convertToPNG ? '.png' : extension);
 
-							var absolutePath = path.join(nconf.get('base_dir'), nconf.get('upload_path'), path.basename(oldpicture));
+					user.getUserField(updateUid, 'uploadedpicture', function (err, oldpicture) {
+						if (!oldpicture) {
+							file.saveFileToLocal(filename, req.files.userPhoto.path, done);
+							return;
+						}
 
-							fs.unlink(absolutePath, function (err) {
-								if (err) {
-									winston.err(err);
-								}
+						var absolutePath = path.join(nconf.get('base_dir'), nconf.get('upload_path'), path.basename(oldpicture));
 
-								file.saveFileToLocal(filename, req.files.userPhoto.path, done);
-							});
+						fs.unlink(absolutePath, function (err) {
+							if (err) {
+								winston.err(err);
+							}
+
+							file.saveFileToLocal(filename, req.files.userPhoto.path, done);
 						});
-					}
+					});
 				});
 			});
 		});

src/socket.io/user.js

@@ -102,12 +102,12 @@ SocketUser.updateProfile = function(socket, data, callback) {
 
 SocketUser.changePicture = function(socket, data, callback) {
 	if(!data) {
-		return;
+		return callback(new Error('invalid-data'));
 	}
 
 	var type = data.type;
 
-	function updateHeader() {
+	function updateHeader(callback) {
 		user.getUserFields(socket.uid, ['picture'], function(err, fields) {
 			if(err) {
 				return callback(err);
@@ -118,7 +118,17 @@ SocketUser.changePicture = function(socket, data, callback) {
 				socket.emit('meta.updateHeader', null, fields);
 			}
 
-			callback(null);
+			callback();
+		});
+	}
+
+	function changePicture(uid, callback) {
+		user.getUserField(uid, type, function(err, picture) {
+			if(err) {
+				return callback(err);
+			}
+
+			user.setUserField(uid, 'picture', picture, callback);
 		});
 	}
 
@@ -130,9 +140,26 @@ SocketUser.changePicture = function(socket, data, callback) {
 		return callback(new Error('invalid-image-type'));
 	}
 
-	user.getUserField(socket.uid, type, function(err, picture) {
-		user.setUserField(socket.uid, 'picture', picture);
-		updateHeader();
+	if(socket.uid === parseInt(data.uid, 10)) {
+		changePicture(socket.uid, function(err) {
+			if(err) {
+				return callback(err);
+			}
+			updateHeader(callback);
+		});
+		return;
+	}
+
+	user.isAdministrator(socket.uid, function(err, isAdmin) {
+		if(err) {
+			return callback(err);
+		}
+
+		if(!isAdmin) {
+			return callback(new Error('not-allowed'));
+		}
+
+		changePicture(data.uid, callback);
 	});
 };