From 856ba78a5f0c971dfd6d39a20a7d9fe25ceb4ec9 Mon Sep 17 00:00:00 2001
From: Julian Lam <julian@nodebb.org>
Date: Fri, 3 Sep 2021 17:13:55 -0400
Subject: [PATCH] fix: replace logic in isPrivilegedOrSelfAndPasswordMatch to
 use privileges.users.canEdit

---
 src/api/users.js | 9 ++-------
 1 file changed, 2 insertions(+), 7 deletions(-)

diff --git a/src/api/users.js b/src/api/users.js
index 71d3a0c8f4..cbd64e7fd5 100644
--- a/src/api/users.js
+++ b/src/api/users.js
@@ -227,14 +227,9 @@ usersAPI.unban = async function (caller, data) {
 async function isPrivilegedOrSelfAndPasswordMatch(caller, data) {
 	const { uid } = caller;
 	const isSelf = parseInt(uid, 10) === parseInt(data.uid, 10);
+	const canEdit = await privileges.users.canEdit(uid, data.uid);
 
-	const [isAdmin, isTargetAdmin, isGlobalMod] = await Promise.all([
-		user.isAdministrator(uid),
-		user.isAdministrator(data.uid),
-		user.isGlobalModerator(uid),
-	]);
-
-	if ((isTargetAdmin && !isAdmin) || (!isSelf && !(isAdmin || isGlobalMod))) {
+	if (!canEdit) {
 		throw new Error('[[error:no-privileges]]');
 	}
 	const [hasPassword, passwordMatch] = await Promise.all([