Restrict seeing the email addresses of others to admins only

diff --git a/app/models.py b/app/models.py
index ade4083594f07c939a65e42c0d75da2c9c7c4b92..af4b3b2c046450594db3315b1750bd02ecbe1345 100644 (file)
--- a/app/models.py
+++ b/app/models.py
@@ -200,7 +200,7 @@ class User(db.Model, UserMixin):
                elif perm == Permission.CHANGE_RANK or perm == Permission.CHANGE_USERNAMES:
                        return user.rank.atLeast(UserRank.MODERATOR)
                elif perm == Permission.CHANGE_EMAIL or perm == Permission.CHANGE_PROFILE_URLS:
-                       return user == self or (user.rank.atLeast(UserRank.MODERATOR) and user.rank.atLeast(self.rank))
+                       return user == self or user.rank.atLeast(UserRank.ADMIN)
                elif perm == Permission.CREATE_TOKEN:
                        if user == self:
                                return user.rank.atLeast(UserRank.MEMBER)