From 6fae4986534f4642cb81d31b9cc35ed06a3bdfe7 Mon Sep 17 00:00:00 2001
From: Marcos Defendi <marcos.defendi@ulbra.inf.br>
Date: Wed, 6 Mar 2019 18:00:08 -0300
Subject: [PATCH] Do not allow change avatars of another users without
 permission

---
 packages/rocketchat-file-upload/server/lib/FileUpload.js | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/packages/rocketchat-file-upload/server/lib/FileUpload.js b/packages/rocketchat-file-upload/server/lib/FileUpload.js
index 61360bb31700..444c83ace043 100644
--- a/packages/rocketchat-file-upload/server/lib/FileUpload.js
+++ b/packages/rocketchat-file-upload/server/lib/FileUpload.js
@@ -11,6 +11,7 @@ import { settings } from 'meteor/rocketchat:settings';
 import * as Models from 'meteor/rocketchat:models';
 import { FileUpload as _FileUpload } from '../../lib/FileUpload';
 import { roomTypes } from 'meteor/rocketchat:utils';
+import { hasPermission } from 'meteor/rocketchat:authorization';
 
 const cookie = new Cookies();
 
@@ -86,6 +87,9 @@ export const FileUpload = Object.assign(_FileUpload, {
 		if (settings.get('Accounts_AvatarResize') !== true) {
 			return;
 		}
+		if (Meteor.userId() !== file.userId && !hasPermission(Meteor.userId(), 'edit-other-user-info')) {
+			throw new Meteor.Error('error-not-allowed', 'Change avatar is not allowed');
+		}
 
 		const tempFilePath = UploadFS.getTempFilePath(file._id);
 
@@ -207,6 +211,9 @@ export const FileUpload = Object.assign(_FileUpload, {
 	},
 
 	avatarsOnFinishUpload(file) {
+		if (Meteor.userId() !== file.userId && !hasPermission(Meteor.userId(), 'edit-other-user-info')) {
+			throw new Meteor.Error('error-not-allowed', 'Change avatar is not allowed');
+		}
 		// update file record to match user's username
 		const user = Models.Users.findOneById(file.userId);
 		const oldAvatar = Models.Avatars.findOneByName(user.username);