From 6cc3879721d657c071b38abd62bc2183454c25d6 Mon Sep 17 00:00:00 2001 From: Daniel Molkentin Date: Mon, 19 Jan 2026 16:06:14 +0100 Subject: [PATCH] Allow users with ManageUsers permission to edit local user's email addresses Cleaned up the logic in UsersController along the way. --- app/controllers/api/v1/users_controller.rb | 8 +++++--- .../components/users/user/forms/UpdateUserForm.jsx | 2 +- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/app/controllers/api/v1/users_controller.rb b/app/controllers/api/v1/users_controller.rb index d17ebc3834..5bc242f2ad 100644 --- a/app/controllers/api/v1/users_controller.rb +++ b/app/controllers/api/v1/users_controller.rb @@ -193,11 +193,13 @@ def valid_domain? end def permitted_params - is_admin = PermissionsChecker.new(current_user:, permission_names: 'ManageUsers', current_provider:).call + is_user_manager = PermissionsChecker.new(current_user:, permission_names: 'ManageUsers', current_provider:).call - return %i[password avatar language role_id invite_token] if external_auth? && !is_admin + permitted = %i[password avatar language role_id invite_token] + permitted.push(:name) if is_user_manager || !external_auth? + permitted.push(:email) if is_user_manager - %i[name password avatar language role_id invite_token] + permitted end end end diff --git a/app/javascript/components/users/user/forms/UpdateUserForm.jsx b/app/javascript/components/users/user/forms/UpdateUserForm.jsx index d1db18bd43..2900e912ec 100644 --- a/app/javascript/components/users/user/forms/UpdateUserForm.jsx +++ b/app/javascript/components/users/user/forms/UpdateUserForm.jsx @@ -71,7 +71,7 @@ export default function UpdateUserForm({ user }) { return (
- + { Object.keys(locales || {}).map((code) => )