From 7fc37b7c70dfae75596a4da7f503f23419d2eea1 Mon Sep 17 00:00:00 2001
From: Johannes Zellner <johannes@cloudron.io>
Date: Wed, 10 Feb 2016 14:48:54 +0100
Subject: [PATCH] Allow admins to edit other users

---
 src/routes/user.js | 18 +++++++++++-------
 1 file changed, 11 insertions(+), 7 deletions(-)

diff --git a/src/routes/user.js b/src/routes/user.js
index efeb1f21a..7ffacb917 100644
--- a/src/routes/user.js
+++ b/src/routes/user.js
@@ -195,15 +195,19 @@ function verifyPassword(req, res, next) {
 
     if (typeof req.body.password !== 'string') return next(new HttpError(400, 'API call requires user password'));
 
-    // Only allow admins or users, operating on themselves
-    if (req.params.userId && !(req.user.id === req.params.userId || req.user.admin)) return next(new HttpError(403, 'Not allowed'));
-
-    user.verify(req.user.username, req.body.password, function (error) {
-        if (error && error.reason === UserError.WRONG_PASSWORD) return next(new HttpError(403, 'Password incorrect'));
-        if (error && error.reason === UserError.NOT_FOUND) return next(new HttpError(403, 'Password incorrect'));
+    groups.isMember(groups.ADMIN_GROUP_ID, req.user.id, function (error, isAdmin) {
         if (error) return next(new HttpError(500, error));
 
-        next();
+        // Only allow admins or users, operating on themselves
+        if (req.params.userId && !(req.user.id === req.params.userId || isAdmin)) return next(new HttpError(403, 'Not allowed'));
+
+        user.verify(req.user.username, req.body.password, function (error) {
+            if (error && error.reason === UserError.WRONG_PASSWORD) return next(new HttpError(403, 'Password incorrect'));
+            if (error && error.reason === UserError.NOT_FOUND) return next(new HttpError(403, 'Password incorrect'));
+            if (error) return next(new HttpError(500, error));
+
+            next();
+        });
     });
 }