Disallow normal users to change email

7 years ago · 064a1caa02
2 changed files with 2 additions and 2 deletions
--- a/modules/user.js
+++ b/modules/user.js
@ -152,6 +152,7 @@ app.post('/user/:id/edit', async (req, res) => {
    if (res.locals.user && await res.locals.user.hasPrivilege('manage_user')) {
      if (!syzoj.utils.isValidUsername(req.body.username)) throw new ErrorMessage('无效的用户名。');
      user.username = req.body.username;
+      user.email = req.body.email;
    }

    if (res.locals.user && res.locals.user.is_admin) {
@ -165,7 +166,6 @@ app.post('/user/:id/edit', async (req, res) => {
      await user.setPrivileges(privileges);
    }

-    user.email = req.body.email;
    user.information = req.body.information;
    user.sex = req.body.sex;

--- a/views/user_edit.ejs
+++ b/views/user_edit.ejs
@ -23,7 +23,7 @@
 	    </div>
 	    <div class="field">
 	    	<label for="email">Email</label>
-	    	<input class="font-content" type="email" id="email" name="email" value="<%= edited_user.email %>">
+	    	<input class="font-content" type="email" id="email" name="email" value="<%= edited_user.email %>"<% if (!user.allowedManage) { %> readonly<% } %>>
 	    </div>
 	    <div class="field">
 	    	<label for="information">个性签名</label>