diff --git a/crates/delta/src/routes/users/edit_user.rs b/crates/delta/src/routes/users/edit_user.rs index b6aab49e..d98c01ee 100644 --- a/crates/delta/src/routes/users/edit_user.rs +++ b/crates/delta/src/routes/users/edit_user.rs @@ -24,23 +24,26 @@ pub async fn edit( }) })?; + // Filter out invalid edit fields + if !user.privileged && (data.badges.is_some() || data.flags.is_some()) { + return Err(create_error!(NotPrivileged)); + } + // If we want to edit a different user than self, ensure we have // permissions and subsequently replace the user in question if target.id != "@me" && target.id != user.id { let target_user = target.as_user(db).await?; let is_bot_owner = target_user .bot + .as_ref() .map(|bot| bot.owner == user.id) .unwrap_or_default(); if !is_bot_owner && !user.privileged { return Err(create_error!(NotPrivileged)); } - } - // Otherwise, filter out invalid edit fields - if !user.privileged && (data.badges.is_some() || data.flags.is_some()) { - return Err(create_error!(NotPrivileged)); + user = target_user; } // Exit out early if nothing is changed