From a2f08e7da247f79daba2934d241e396494eae917 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bar=C4=B1=C5=9F=20Soner=20U=C5=9Fakl=C4=B1?=
 <barisusakli@gmail.com>
Date: Tue, 5 Feb 2019 15:27:41 -0500
Subject: [PATCH] fix: #7240

---
 src/socket.io/groups.js | 33 +++++++++++++++++++++------------
 1 file changed, 21 insertions(+), 12 deletions(-)

diff --git a/src/socket.io/groups.js b/src/socket.io/groups.js
index 8301974a7d..a92fd4d5f5 100644
--- a/src/socket.io/groups.js
+++ b/src/socket.io/groups.js
@@ -325,13 +325,9 @@ SocketGroups.cover.update = function (socket, data, callback) {
 
 	async.waterfall([
 		function (next) {
-			groups.ownership.isOwner(socket.uid, data.groupName, next);
+			canModifyGroup(socket.uid, data.groupName, next);
 		},
-		function (isOwner, next) {
-			if (!isOwner) {
-				return next(new Error('[[error:no-privileges]]'));
-			}
-
+		function (next) {
 			groups.updateCover(socket.uid, data, next);
 		},
 	], callback);
@@ -344,14 +340,27 @@ SocketGroups.cover.remove = function (socket, data, callback) {
 
 	async.waterfall([
 		function (next) {
-			groups.ownership.isOwner(socket.uid, data.groupName, next);
+			canModifyGroup(socket.uid, data.groupName, next);
 		},
-		function (isOwner, next) {
-			if (!isOwner) {
-				return next(new Error('[[error:no-privileges]]'));
-			}
-
+		function (next) {
 			groups.removeCover(data, next);
 		},
 	], callback);
 };
+
+function canModifyGroup(uid, groupName, callback) {
+	async.waterfall([
+		function (next) {
+			async.parallel({
+				isOwner: async.apply(groups.ownership.isOwner, uid, groupName),
+				isAdminOrGlobalMod: async.apply(user.isAdminOrGlobalMod, uid),
+			}, next);
+		},
+		function (results, next) {
+			if (!results.isOwner && !results.isAdminOrGlobalMod) {
+				return next(new Error('[[error:no-privileges]]'));
+			}
+			next();
+		},
+	], callback);
+}