From 4b4e3044f273fbbce69672ddf27c4ad7acea49e5 Mon Sep 17 00:00:00 2001
From: Andrew Cunningham <wacii@mail.com>
Date: Mon, 4 Dec 2017 15:05:27 -0500
Subject: [PATCH] Use appropriate user in profile.update

Although the endpoint is used to update any user, it always used the
logged in user as the base.
---
 server/controllers/users/profile.js | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/server/controllers/users/profile.js b/server/controllers/users/profile.js
index 13227ecc..53754b14 100644
--- a/server/controllers/users/profile.js
+++ b/server/controllers/users/profile.js
@@ -32,6 +32,8 @@ export const getById = async function(req, res) {
  */
 export const update = async function(req, res) {
   let user = req.user
+  if (user._id !== req.body._id)
+    user = await User.findById(req.body._id).lean()
 
   // For security measurement we remove the roles from the req.body object
   delete req.body.roles