diff --git a/public/src/forum/accountedit.js b/public/src/forum/accountedit.js index ce50d539ee..0deeda57c7 100644 --- a/public/src/forum/accountedit.js +++ b/public/src/forum/accountedit.js @@ -117,7 +117,7 @@ define(['forum/accountheader', 'uploader'], function(header, uploader) { $('#uploadPictureBtn').on('click', function() { $('#change-picture-modal').modal('hide'); - uploader.open(RELATIVE_PATH + '/user/uploadpicture', {}, config.maximumProfileImageSize, function(imageUrlOnServer) { + uploader.open(RELATIVE_PATH + '/user/uploadpicture', {uid: templates.get('theirid')}, config.maximumProfileImageSize, function(imageUrlOnServer) { imageUrlOnServer = imageUrlOnServer + '?' + new Date().getTime(); $('#user-current-picture').attr('src', imageUrlOnServer); @@ -220,7 +220,8 @@ define(['forum/accountheader', 'uploader'], function(header, uploader) { AccountEdit.changeUserPicture = function(type) { var userData = { - type: type + type: type, + uid: templates.get('theirid') }; socket.emit('user.changePicture', userData, function(err) { diff --git a/src/routes/user.js b/src/routes/user.js index 6b2d70ecec..b6b6e6a87d 100644 --- a/src/routes/user.js +++ b/src/routes/user.js @@ -165,8 +165,7 @@ var fs = require('fs'), }); } - var convertToPNG = parseInt(meta.config['profile:convertProfileImageToPNG'], 10); - var filename = req.user.uid + '-profileimg' + (convertToPNG ? '.png' : extension); + var updateUid = req.params.uid; async.waterfall([ function(next) { @@ -174,16 +173,41 @@ var fs = require('fs'), }, function(next) { image.convertImageToPng(req.files.userPhoto.path, extension, next); + }, + function(next) { + try { + var params = JSON.parse(req.body.params); + if(parseInt(updateUid, 10) === parseInt(params.uid, 10)) { + return next(); + } + + user.isAdministrator(req.user.uid, function(err, isAdmin) { + if(err) { + return next(err); + } + + if(!isAdmin) { + return res.json(403, { + error: 'Not allowed!' + }); + } + updateUid = params.uid; + next(); + }); + } catch(err) { + next(err); + } } ], function(err, result) { + function done(err, image) { fs.unlink(req.files.userPhoto.path); if(err) { return res.send({error: err.message}); } - user.setUserField(req.user.uid, 'uploadedpicture', image.url); - user.setUserField(req.user.uid, 'picture', image.url); + user.setUserField(updateUid, 'uploadedpicture', image.url); + user.setUserField(updateUid, 'picture', image.url); res.json({ path: image.url }); @@ -194,26 +218,28 @@ var fs = require('fs'), } if(plugins.hasListeners('filter:uploadImage')) { - plugins.fireHook('filter:uploadImage', req.files.userPhoto, done); - } else { + return plugins.fireHook('filter:uploadImage', req.files.userPhoto, done); + } - user.getUserField(req.user.uid, 'uploadedpicture', function (err, oldpicture) { - if (!oldpicture) { - file.saveFileToLocal(filename, req.files.userPhoto.path, done); - return; - } + var convertToPNG = parseInt(meta.config['profile:convertProfileImageToPNG'], 10); + var filename = updateUid + '-profileimg' + (convertToPNG ? '.png' : extension); - var absolutePath = path.join(nconf.get('base_dir'), nconf.get('upload_path'), path.basename(oldpicture)); + user.getUserField(updateUid, 'uploadedpicture', function (err, oldpicture) { + if (!oldpicture) { + file.saveFileToLocal(filename, req.files.userPhoto.path, done); + return; + } - fs.unlink(absolutePath, function (err) { - if (err) { - winston.err(err); - } + var absolutePath = path.join(nconf.get('base_dir'), nconf.get('upload_path'), path.basename(oldpicture)); - file.saveFileToLocal(filename, req.files.userPhoto.path, done); - }); + fs.unlink(absolutePath, function (err) { + if (err) { + winston.err(err); + } + + file.saveFileToLocal(filename, req.files.userPhoto.path, done); }); - } + }); }); }); }); diff --git a/src/socket.io/user.js b/src/socket.io/user.js index f9e3ade0e9..2e9cf32d73 100644 --- a/src/socket.io/user.js +++ b/src/socket.io/user.js @@ -102,12 +102,12 @@ SocketUser.updateProfile = function(socket, data, callback) { SocketUser.changePicture = function(socket, data, callback) { if(!data) { - return; + return callback(new Error('invalid-data')); } var type = data.type; - function updateHeader() { + function updateHeader(callback) { user.getUserFields(socket.uid, ['picture'], function(err, fields) { if(err) { return callback(err); @@ -118,7 +118,17 @@ SocketUser.changePicture = function(socket, data, callback) { socket.emit('meta.updateHeader', null, fields); } - callback(null); + callback(); + }); + } + + function changePicture(uid, callback) { + user.getUserField(uid, type, function(err, picture) { + if(err) { + return callback(err); + } + + user.setUserField(uid, 'picture', picture, callback); }); } @@ -130,9 +140,26 @@ SocketUser.changePicture = function(socket, data, callback) { return callback(new Error('invalid-image-type')); } - user.getUserField(socket.uid, type, function(err, picture) { - user.setUserField(socket.uid, 'picture', picture); - updateHeader(); + if(socket.uid === parseInt(data.uid, 10)) { + changePicture(socket.uid, function(err) { + if(err) { + return callback(err); + } + updateHeader(callback); + }); + return; + } + + user.isAdministrator(socket.uid, function(err, isAdmin) { + if(err) { + return callback(err); + } + + if(!isAdmin) { + return callback(new Error('not-allowed')); + } + + changePicture(data.uid, callback); }); };