From e33e046f1547848883085896f0fc6df2e9d178a6 Mon Sep 17 00:00:00 2001
From: Julian Lam <julian@nodebb.org>
Date: Fri, 3 Sep 2021 15:24:50 -0400
Subject: [PATCH] fix: use privileges.users.canEdit for image upload priv check

---
 src/socket.io/user/profile.js | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/socket.io/user/profile.js b/src/socket.io/user/profile.js
index 4f757943ac..2de4160ba5 100644
--- a/src/socket.io/user/profile.js
+++ b/src/socket.io/user/profile.js
@@ -6,6 +6,7 @@ const api = require('../../api');
 const user = require('../../user');
 const events = require('../../events');
 const notifications = require('../../notifications');
+const privileges = require('../../privileges');
 const db = require('../../database');
 const plugins = require('../../plugins');
 const sockets = require('..');
@@ -31,10 +32,10 @@ module.exports = function (SocketUser) {
 	};
 
 	SocketUser.uploadCroppedPicture = async function (socket, data) {
-		if (!socket.uid) {
+		if (!socket.uid || !(await privileges.users.canEdit(socket.uid, data.uid))) {
 			throw new Error('[[error:no-privileges]]');
 		}
-		await user.isAdminOrGlobalModOrSelf(socket.uid, data.uid);
+
 		await user.checkMinReputation(socket.uid, data.uid, 'min:rep:profile-picture');
 		data.callerUid = socket.uid;
 		return await user.uploadCroppedPicture(data);