From 033ddb185d3d0f7c2665058cb26c14a99feb9319 Mon Sep 17 00:00:00 2001
From: Azareal <azareal@users.noreply.github.com>
Date: Tue, 19 Jan 2021 12:48:49 +1000
Subject: [PATCH] restrict email parameter to users with EditUserEmail perm

---
 routes/panel/users.go | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/routes/panel/users.go b/routes/panel/users.go
index 6b49ec16..bc66e21e 100644
--- a/routes/panel/users.go
+++ b/routes/panel/users.go
@@ -18,6 +18,9 @@ func Users(w http.ResponseWriter, r *http.Request, u *c.User) c.RouteError {
 
 	name := r.FormValue("s-name")
 	email := r.FormValue("s-email")
+	if !u.Perms.EditUserEmail && email != "" {
+		email = ""
+	}
 	hasParam := name != "" || email != ""
 
 	page, _ := strconv.Atoi(r.FormValue("page"))