From 344ece8db5a260c38d4de8df888685aa74fb0b41 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bar=C4=B1=C5=9F=20Soner=20U=C5=9Fakl=C4=B1?=
 <barisusakli@gmail.com>
Date: Tue, 3 Oct 2023 20:42:43 -0400
Subject: [PATCH] fix: #12057, allow gmods to change user email

---
 public/src/client/account/edit.js | 2 +-
 src/api/users.js                  | 7 +++----
 src/privileges/users.js           | 7 +++++--
 3 files changed, 9 insertions(+), 7 deletions(-)

diff --git a/public/src/client/account/edit.js b/public/src/client/account/edit.js
index 587b4055ab..70ea1e83ce 100644
--- a/public/src/client/account/edit.js
+++ b/public/src/client/account/edit.js
@@ -27,7 +27,7 @@ define('forum/account/edit', [
 		updateAboutMe();
 		handleGroupSort();
 
-		if (!ajaxify.data.isSelf && app.user.isAdmin) {
+		if (!ajaxify.data.isSelf && ajaxify.data.canEdit) {
 			$(`a[href="${config.relative_path}/user/${ajaxify.data.userslug}/edit/email"]`).on('click', () => {
 				changeEmail.init({
 					uid: ajaxify.data.uid,
diff --git a/src/api/users.js b/src/api/users.js
index d4456128d1..8e84c87c34 100644
--- a/src/api/users.js
+++ b/src/api/users.js
@@ -413,10 +413,9 @@ usersAPI.getInviteGroups = async (caller, { uid }) => {
 };
 
 usersAPI.addEmail = async (caller, { email, skipConfirmation, uid }) => {
-	const canManageUsers = await privileges.admin.can('admin:users', caller.uid);
-	skipConfirmation = canManageUsers && skipConfirmation;
-
-	if (skipConfirmation) {
+	const isSelf = parseInt(caller.uid, 10) === parseInt(uid, 10);
+	const canEdit = await privileges.users.canEdit(caller.uid, uid);
+	if (skipConfirmation && canEdit && !isSelf) {
 		if (!email.length) {
 			await user.email.remove(uid);
 		} else {
diff --git a/src/privileges/users.js b/src/privileges/users.js
index ac3c0ca1c7..ee666c3e0f 100644
--- a/src/privileges/users.js
+++ b/src/privileges/users.js
@@ -77,17 +77,20 @@ privsUsers.canEdit = async function (callerUid, uid) {
 	if (parseInt(callerUid, 10) === parseInt(uid, 10)) {
 		return true;
 	}
-	const [isAdmin, isGlobalMod, isTargetAdmin] = await Promise.all([
+	const privsAdmin = require('./admin');
+	const [isAdmin, isGlobalMod, isTargetAdmin, canManageUsers] = await Promise.all([
 		privsUsers.isAdministrator(callerUid),
 		privsUsers.isGlobalModerator(callerUid),
 		privsUsers.isAdministrator(uid),
+		privsAdmin.can('admin:users', callerUid),
 	]);
 
 	const data = await plugins.hooks.fire('filter:user.canEdit', {
 		isAdmin: isAdmin,
 		isGlobalMod: isGlobalMod,
 		isTargetAdmin: isTargetAdmin,
-		canEdit: isAdmin || (isGlobalMod && !isTargetAdmin),
+		canManageUsers: canManageUsers,
+		canEdit: isAdmin || ((isGlobalMod || canManageUsers) && !isTargetAdmin),
 		callerUid: callerUid,
 		uid: uid,
 	});