From ef8bbdd359851b49b121d0b51c5a1d543aefee79 Mon Sep 17 00:00:00 2001
From: barisusakli <barisusakli@gmail.com>
Date: Sun, 20 Jul 2014 21:10:23 -0400
Subject: [PATCH] closes #1864

doing andrew's //todo's since 1991
---
 public/src/forum/account/header.js   |  6 +----
 public/src/forum/account/settings.js |  8 +++---
 src/controllers/accounts.js          |  4 ---
 src/routes/index.js                  |  1 -
 src/socket.io/user.js                | 39 ++++++++++++++++++++++++----
 5 files changed, 40 insertions(+), 18 deletions(-)

diff --git a/public/src/forum/account/header.js b/public/src/forum/account/header.js
index afda7961d0..6efa692a0f 100644
--- a/public/src/forum/account/header.js
+++ b/public/src/forum/account/header.js
@@ -10,10 +10,6 @@ define('forum/account/header', function() {
 		var yourid = ajaxify.variables.get('yourid'),
 			theirid = ajaxify.variables.get('theirid');
 
-		var editLink = $('#editLink'),
-			settingsLink = $('#settingsLink'),
-			favouritesLink = $('#favouritesLink');
-
 		if (parseInt(yourid, 10) !== 0 && parseInt(yourid, 10) === parseInt(theirid, 10)) {
 			$('#editLink, #settingsLink, #favouritesLink').removeClass('hide');
 		} else {
@@ -24,7 +20,7 @@ define('forum/account/header', function() {
 		}
 
 		if (app.isAdmin) {
-			editLink.removeClass('hide');
+			$('#editLink, #settingsLink').removeClass('hide');
 		}
 	}
 
diff --git a/public/src/forum/account/settings.js b/public/src/forum/account/settings.js
index 78d5a52a99..107e766c77 100644
--- a/public/src/forum/account/settings.js
+++ b/public/src/forum/account/settings.js
@@ -26,20 +26,22 @@ define('forum/account/settings', ['forum/account/header'], function(header) {
 				}
 			});
 
-			socket.emit('user.saveSettings', settings, function(err) {
+			socket.emit('user.saveSettings', {uid: ajaxify.variables.get('theirid'), settings: settings}, function(err) {
 				if (err) {
 					return app.alertError(err.message);
 				}
 
 				app.alertSuccess('[[success:settings-saved]]');
 				app.loadConfig();
-				ajaxify.refresh();
+				if (parseInt(app.uid, 10) === parseInt(ajaxify.variables.get('theirid'), 10)) {
+					ajaxify.refresh();
+				}
 			});
 
 			return false;
 		});
 
-		socket.emit('user.getSettings', function(err, settings) {
+		socket.emit('user.getSettings', {uid: ajaxify.variables.get('theirid')}, function(err, settings) {
 			var inputs = $('.account').find('input, textarea, select');
 
 			inputs.each(function(index, input) {
diff --git a/src/controllers/accounts.js b/src/controllers/accounts.js
index 885e6f2767..4afb9ded93 100644
--- a/src/controllers/accounts.js
+++ b/src/controllers/accounts.js
@@ -346,10 +346,6 @@ accountsController.accountSettings = function(req, res, next) {
 			return userNotFound(res);
 		}
 
-		if (parseInt(userData.uid, 10) !== callerUID) {
-			return userNotAllowed(res);
-		}
-
 		async.parallel({
 			settings: function(next) {
 				plugins.fireHook('filter:user.settings', [], next);
diff --git a/src/routes/index.js b/src/routes/index.js
index 814f15354a..27f7da64c3 100644
--- a/src/routes/index.js
+++ b/src/routes/index.js
@@ -112,7 +112,6 @@ function accountRoutes(app, middleware, controllers) {
 	app.get('/user/:userslug/edit', middleware.buildHeader, middleware.checkGlobalPrivacySettings, middleware.checkAccountPermissions, controllers.accounts.accountEdit);
 	app.get('/api/user/:userslug/edit', middleware.checkGlobalPrivacySettings, middleware.checkAccountPermissions, controllers.accounts.accountEdit);
 
-	// todo: admin recently gained access to this page, pls check if it actually works
 	app.get('/user/:userslug/settings', middleware.buildHeader, middleware.checkGlobalPrivacySettings, middleware.checkAccountPermissions, controllers.accounts.accountSettings);
 	app.get('/api/user/:userslug/settings', middleware.checkGlobalPrivacySettings, middleware.checkAccountPermissions, controllers.accounts.accountSettings);
 
diff --git a/src/socket.io/user.js b/src/socket.io/user.js
index 55236a22b7..41bba06ba6 100644
--- a/src/socket.io/user.js
+++ b/src/socket.io/user.js
@@ -140,7 +140,6 @@ SocketUser.changePicture = function(socket, data, callback) {
 			if(err) {
 				return callback(err);
 			}
-
 		});
 		return;
 	}
@@ -172,18 +171,48 @@ SocketUser.unfollow = function(socket, data, callback) {
 
 SocketUser.getSettings = function(socket, data, callback) {
 	if (socket.uid) {
-		user.getSettings(socket.uid, callback);
+		if (socket.uid === parseInt(data.uid, 10)) {
+			return user.getSettings(socket.uid, callback);
+		}
+
+		user.isAdministrator(socket.uid, function(err, isAdmin) {
+			if (err) {
+				return callback(err);
+			}
+
+			if (!isAdmin) {
+				return callback(new Error('[[error:no-privileges]]'));
+			}
+
+			user.getSettings(data.uid, callback);
+		});
 	}
 };
 
 SocketUser.saveSettings = function(socket, data, callback) {
-	if (socket.uid && data) {
-		user.saveSettings(socket.uid, data, callback);
+	if (!socket.uid || !data) {
+		return callback(new Error('[[error:invalid-data]]'));
 	}
+
+	if (socket.uid === parseInt(data.uid, 10)) {
+		return user.saveSettings(socket.uid, data.settings, callback);
+	}
+
+	user.isAdministrator(socket.uid, function(err, isAdmin) {
+		if (err) {
+			return callback(err);
+		}
+
+		if (!isAdmin) {
+			return callback(new Error('[[error:no-privileges]]'));
+		}
+
+		user.saveSettings(data.uid, data.settings, callback);
+	});
 };
 
 SocketUser.setTopicSort = function(socket, sort, callback) {
-	if(socket.uid) {
+	if (socket.uid) {
 		user.setSetting(socket.uid, 'topicPostSort', sort, callback);
 	}
 };