From e33e046f1547848883085896f0fc6df2e9d178a6 Mon Sep 17 00:00:00 2001 From: Julian Lam Date: Fri, 3 Sep 2021 15:24:50 -0400 Subject: [PATCH] fix: use privileges.users.canEdit for image upload priv check --- src/socket.io/user/profile.js | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/socket.io/user/profile.js b/src/socket.io/user/profile.js index 4f757943ac..2de4160ba5 100644 --- a/src/socket.io/user/profile.js +++ b/src/socket.io/user/profile.js @@ -6,6 +6,7 @@ const api = require('../../api'); const user = require('../../user'); const events = require('../../events'); const notifications = require('../../notifications'); +const privileges = require('../../privileges'); const db = require('../../database'); const plugins = require('../../plugins'); const sockets = require('..'); @@ -31,10 +32,10 @@ module.exports = function (SocketUser) { }; SocketUser.uploadCroppedPicture = async function (socket, data) { - if (!socket.uid) { + if (!socket.uid || !(await privileges.users.canEdit(socket.uid, data.uid))) { throw new Error('[[error:no-privileges]]'); } - await user.isAdminOrGlobalModOrSelf(socket.uid, data.uid); + await user.checkMinReputation(socket.uid, data.uid, 'min:rep:profile-picture'); data.callerUid = socket.uid; return await user.uploadCroppedPicture(data);