closes #5637

src/controllers/accounts/helpers.js

@@ -10,8 +10,9 @@ var groups = require('../../groups');
 var plugins = require('../../plugins');
 var meta = require('../../meta');
 var utils = require('../../utils');
+var privileges = require('../../privileges');
 
-var helpers = {};
+var helpers = module.exports;
 
 helpers.getUserDataByUserSlug = function (userslug, callerUID, callback) {
 	async.waterfall([
@@ -60,6 +61,9 @@ helpers.getUserDataByUserSlug = function (userslug, callerUID, callback) {
 				sso: function (next) {
 					plugins.fireHook('filter:auth.list', { uid: uid, associations: [] }, next);
 				},
+				canBanUser: function (next) {
+					privileges.users.canBanUser(callerUID, uid, next);
+				},
 			}, next);
 		},
 		function (results, next) {
@@ -109,7 +113,7 @@ helpers.getUserDataByUserSlug = function (userslug, callerUID, callback) {
 			userData.isAdminOrGlobalModeratorOrModerator = isAdmin || isGlobalModerator || isModerator;
 			userData.isSelfOrAdminOrGlobalModerator = isSelf || isAdmin || isGlobalModerator;
 			userData.canEdit = isAdmin || (isGlobalModerator && !results.isTargetAdmin);
-			userData.canBan = isAdmin || (isGlobalModerator && !results.isTargetAdmin);
+			userData.canBan = results.canBanUser;
 			userData.canChangePassword = isAdmin || (isSelf && parseInt(meta.config['password:disableEdit'], 10) !== 1);
 			userData.isSelf = isSelf;
 			userData.isFollowing = results.isFollowing;
@@ -186,5 +190,3 @@ function filterLinks(links, states) {
 		return permit;
 	});
 }
-
-module.exports = helpers;

src/privileges/users.js

@@ -3,6 +3,7 @@
 
 var async = require('async');
 
+var user = require('../user');
 var groups = require('../groups');
 var plugins = require('../plugins');
 
@@ -157,4 +158,49 @@ module.exports = function (privileges) {
 			callback(null, canEdit);
 		});
 	};
+
+	privileges.users.canBanUser = function (callerUid, uid, callback) {
+		async.waterfall([
+			function (next) {
+				async.parallel({
+					isAdmin: function (next) {
+						privileges.users.isAdministrator(callerUid, next);
+					},
+					isGlobalMod: function (next) {
+						privileges.users.isGlobalModerator(callerUid, next);
+					},
+					isTargetAdmin: function (next) {
+						privileges.users.isAdministrator(uid, next);
+					},
+				}, next);
+			},
+			function (results, next) {
+				results.canBan = !results.isTargetAdmin && (results.isAdmin || results.isGlobalMod);
+				results.callerUid = callerUid;
+				results.uid = uid;
+				plugins.fireHook('filter:user.canBanUser', results, next);
+			},
+			function (data, next) {
+				next(null, data.canBan);
+			},
+		], callback);
+	};
+
+	privileges.users.hasBanPrivilege = function (uid, callback) {
+		async.waterfall([
+			function (next) {
+				user.isAdminOrGlobalMod(uid, next);
+			},
+			function (isAdminOrGlobalMod, next) {
+				plugins.fireHook('filter:user.hasBanPrivilege', {
+					uid: uid,
+					isAdminOrGlobalMod: isAdminOrGlobalMod,
+					canBan: isAdminOrGlobalMod,
+				}, next);
+			},
+			function (data, next) {
+				next(null, data.canBan);
+			},
+		], callback);
+	};
 };

src/socket.io/user/ban.js

@@ -1,10 +1,11 @@
 'use strict';
 
 var async = require('async');
+
 var user = require('../../user');
 var websockets = require('../index');
 var events = require('../../events');
-
+var privileges = require('../../privileges');
 var plugins = require('../../plugins');
 
 module.exports = function (SocketUser) {
@@ -72,10 +73,10 @@ module.exports = function (SocketUser) {
 
 		async.waterfall([
 			function (next) {
-				user.isAdminOrGlobalMod(uid, next);
+				privileges.users.hasBanPrivilege(uid, next);
 			},
-			function (isAdminOrGlobalMod, next) {
+			function (hasBanPrivilege, next) {
-				if (!isAdminOrGlobalMod) {
+				if (!hasBanPrivilege) {
 					return next(new Error('[[error:no-privileges]]'));
 				}
 				async.each(uids, method, next);