From 016037adc1d0d6ff0767327247bafc1e54619655 Mon Sep 17 00:00:00 2001
From: Julien Fontanet <julien.fontanet@isonoe.net>
Date: Thu, 18 Aug 2016 14:16:40 +0200
Subject: [PATCH] fix(user.set): can be used by non admins

---
 src/api/user.js | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/src/api/user.js b/src/api/user.js
index 541724f97..f513d5453 100644
--- a/src/api/user.js
+++ b/src/api/user.js
@@ -58,15 +58,21 @@ getAll.permission = 'admin'
 // -------------------------------------------------------------------
 
 export async function set ({id, email, password, permission, preferences}) {
-  if (permission && id === this.session.get('user_id')) {
-    throw new InvalidParameters('a user cannot change its own permission')
+  const isAdmin = this.user && this.user.permission === 'admin'
+  if (isAdmin) {
+    if (permission && id === this.session.get('user_id')) {
+      throw new InvalidParameters('a user cannot change its own permission')
+    }
+  } else if (email || password || permission) {
+    throw new InvalidParameters('this properties can only changed by an administrator')
   }
+
   await this.updateUser(id, {email, password, permission, preferences})
 }
 
 set.description = 'changes the properties of an existing user'
 
-set.permission = 'admin'
+set.permission = ''
 
 set.params = {
   id: { type: 'string' },