From e114b16d7af6d0cef4f547ce0bffa0c9644f6077 Mon Sep 17 00:00:00 2001
From: Andrew Rodrigues <psycho.bunny@hotmail.com>
Date: Thu, 9 May 2019 15:50:51 -0400
Subject: [PATCH] fix: if editing password is disabled in ACP, prevent direct
 access via route/socket  (related: #7576)

---
 src/controllers/accounts/edit.js |  4 ++--
 src/user/profile.js              | 15 +++++++++++----
 2 files changed, 13 insertions(+), 6 deletions(-)

diff --git a/src/controllers/accounts/edit.js b/src/controllers/accounts/edit.js
index ada68d258c..5d600d7e90 100644
--- a/src/controllers/accounts/edit.js
+++ b/src/controllers/accounts/edit.js
@@ -98,8 +98,8 @@ function renderRoute(name, req, res, next) {
 				return next();
 			}
 
-			if ((name === 'username' && userData['username:disableEdit']) || (name === 'email' && userData['email:disableEdit'])) {
-				return next();
+			if (meta.config[name + ':disableEdit'] && !userData.isAdmin) {
+				return helpers.notAllowed(req, res);
 			}
 
 			if (name === 'password') {
diff --git a/src/user/profile.js b/src/user/profile.js
index f2ba3466f5..cd42beb472 100644
--- a/src/user/profile.js
+++ b/src/user/profile.js
@@ -319,11 +319,18 @@ module.exports = function (User) {
 				User.isPasswordValid(data.newPassword, next);
 			},
 			function (next) {
-				if (parseInt(uid, 10) !== parseInt(data.uid, 10)) {
-					User.isAdministrator(uid, next);
-				} else {
-					User.isPasswordCorrect(uid, data.currentPassword, data.ip, next);
+				User.isAdministrator(uid, next);
+			},
+			function (isAdmin, next) {
+				if (meta.config['password:disableEdit'] && !isAdmin) {
+					return next(new Error('[[error:no-privileges]]'));
 				}
+
+				if (isAdmin && parseInt(uid, 10) !== parseInt(data.uid, 10)) {
+					return next(null, true);
+				}
+
+				User.isPasswordCorrect(uid, data.currentPassword, data.ip, next);
 			},
 			function (isAdminOrPasswordMatch, next) {
 				if (!isAdminOrPasswordMatch) {