fix: improper targetUid check during password change

NodeBB · Aug 13, 2020 · c2477d9 · c2477d9
1 parent 28970b0
commit c2477d9
Showing 1 changed file with 6 additions and 1 deletion.
diff --git a/src/user/profile.js b/src/user/profile.js
@@ -280,13 +280,18 @@ module.exports = function (User) {
 		}
 		let isAdminOrPasswordMatch = false;
 		const isSelf = parseInt(uid, 10) === parseInt(data.uid, 10);
+
+		if (!isAdmin && !isSelf) {
+			throw new Error('[[user:change_password_error_privileges]]');
+		}
+
 		if (
 			(isAdmin && !isSelf) || // Admins ok
 			(!hasPassword && isSelf)	// Initial password set ok
 		) {
 			isAdminOrPasswordMatch = true;
 		} else {
-			isAdminOrPasswordMatch = await User.isPasswordCorrect(uid, data.currentPassword, data.ip);
+			isAdminOrPasswordMatch = await User.isPasswordCorrect(data.uid, data.currentPassword, data.ip);
 		}
 
 		if (!isAdminOrPasswordMatch) {