From 61e408b4a2d2735060979f0157568d5e414425f7 Mon Sep 17 00:00:00 2001
From: Baris Usakli <barisusakli@gmail.com>
Date: Wed, 17 Jan 2018 12:25:08 -0500
Subject: [PATCH] closes #6253

---
 src/socket.io/user/profile.js | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

diff --git a/src/socket.io/user/profile.js b/src/socket.io/user/profile.js
index 792b55200d..d9c89df6a0 100644
--- a/src/socket.io/user/profile.js
+++ b/src/socket.io/user/profile.js
@@ -15,7 +15,7 @@ module.exports = function (SocketUser) {
 
 		async.waterfall([
 			function (next) {
-				isAdminOrSelfAndPasswordMatch(socket.uid, data, next);
+				isPrivilegedOrSelfAndPasswordMatch(socket.uid, data, next);
 			},
 			function (next) {
 				SocketUser.updateProfile(socket, data, next);
@@ -29,7 +29,7 @@ module.exports = function (SocketUser) {
 		}
 		async.waterfall([
 			function (next) {
-				user.isAdminOrSelf(socket.uid, data.uid, next);
+				user.isAdminOrGlobalModOrSelf(socket.uid, data.uid, next);
 			},
 			function (next) {
 				user.updateCoverPicture(data, next);
@@ -43,7 +43,7 @@ module.exports = function (SocketUser) {
 		}
 		async.waterfall([
 			function (next) {
-				user.isAdminOrSelf(socket.uid, data.uid, next);
+				user.isAdminOrGlobalModOrSelf(socket.uid, data.uid, next);
 			},
 			function (next) {
 				user.uploadCroppedPicture(data, next);
@@ -58,7 +58,7 @@ module.exports = function (SocketUser) {
 
 		async.waterfall([
 			function (next) {
-				user.isAdminOrSelf(socket.uid, data.uid, next);
+				user.isAdminOrGlobalModOrSelf(socket.uid, data.uid, next);
 			},
 			function (next) {
 				user.removeCoverPicture(data, next);
@@ -66,11 +66,13 @@ module.exports = function (SocketUser) {
 		], callback);
 	};
 
-	function isAdminOrSelfAndPasswordMatch(uid, data, callback) {
+	function isPrivilegedOrSelfAndPasswordMatch(uid, data, callback) {
 		async.waterfall([
 			function (next) {
 				async.parallel({
 					isAdmin: async.apply(user.isAdministrator, uid),
+					isTargetAdmin: async.apply(user.isAdministrator, data.uid),
+					isGlobalMod: async.apply(user.isGlobalModerator, uid),
 					hasPassword: async.apply(user.hasPassword, data.uid),
 					passwordMatch: function (next) {
 						if (data.password) {
@@ -84,7 +86,11 @@ module.exports = function (SocketUser) {
 			function (results, next) {
 				var isSelf = parseInt(uid, 10) === parseInt(data.uid, 10);
 
-				if (!results.isAdmin && !isSelf) {
+				if (results.isTargetAdmin && !results.isAdmin) {
+					return next(new Error('[[error:no-privileges]]'));
+				}
+
+				if ((!results.isAdmin || !results.isGlobalMod) && !isSelf) {
 					return next(new Error('[[error:no-privileges]]'));
 				}