fix: #12057, allow gmods to change user email

public/src/client/account/edit.js

@@ -27,7 +27,7 @@ define('forum/account/edit', [
 		updateAboutMe();
 		handleGroupSort();
 
-		if (!ajaxify.data.isSelf && app.user.isAdmin) {
+		if (!ajaxify.data.isSelf && ajaxify.data.canEdit) {
 			$(`a[href="${config.relative_path}/user/${ajaxify.data.userslug}/edit/email"]`).on('click', () => {
 				changeEmail.init({
 					uid: ajaxify.data.uid,

src/api/users.js

@@ -413,10 +413,9 @@ usersAPI.getInviteGroups = async (caller, { uid }) => {
 };
 
 usersAPI.addEmail = async (caller, { email, skipConfirmation, uid }) => {
-	const canManageUsers = await privileges.admin.can('admin:users', caller.uid);
-	skipConfirmation = canManageUsers && skipConfirmation;
-
-	if (skipConfirmation) {
+	const isSelf = parseInt(caller.uid, 10) === parseInt(uid, 10);
+	const canEdit = await privileges.users.canEdit(caller.uid, uid);
+	if (skipConfirmation && canEdit && !isSelf) {
 		if (!email.length) {
 			await user.email.remove(uid);
 		} else {

src/privileges/users.js

@@ -77,17 +77,20 @@ privsUsers.canEdit = async function (callerUid, uid) {
 	if (parseInt(callerUid, 10) === parseInt(uid, 10)) {
 		return true;
 	}
-	const [isAdmin, isGlobalMod, isTargetAdmin] = await Promise.all([
+	const privsAdmin = require('./admin');
+	const [isAdmin, isGlobalMod, isTargetAdmin, canManageUsers] = await Promise.all([
 		privsUsers.isAdministrator(callerUid),
 		privsUsers.isGlobalModerator(callerUid),
 		privsUsers.isAdministrator(uid),
+		privsAdmin.can('admin:users', callerUid),
 	]);
 
 	const data = await plugins.hooks.fire('filter:user.canEdit', {
 		isAdmin: isAdmin,
 		isGlobalMod: isGlobalMod,
 		isTargetAdmin: isTargetAdmin,
-		canEdit: isAdmin || (isGlobalMod && !isTargetAdmin),
+		canManageUsers: canManageUsers,
+		canEdit: isAdmin || ((isGlobalMod || canManageUsers) && !isTargetAdmin),
 		callerUid: callerUid,
 		uid: uid,
 	});