Remove sudo mode and add password confirmation when changing email address

closes #674

src/Api/Controller/DeleteDiscussionController.php

@@ -10,15 +10,12 @@
 
 namespace Flarum\Api\Controller;
 
-use Flarum\Core\Access\AssertPermissionTrait;
 use Flarum\Core\Command\DeleteDiscussion;
 use Illuminate\Contracts\Bus\Dispatcher;
 use Psr\Http\Message\ServerRequestInterface;
 
 class DeleteDiscussionController extends AbstractDeleteController
 {
-    use AssertPermissionTrait;
-
     /**
      * @var Dispatcher
      */
@@ -41,8 +38,6 @@ class DeleteDiscussionController extends AbstractDeleteController
         $actor = $request->getAttribute('actor');
         $input = $request->getParsedBody();
 
-        $this->assertSudo($request);
-
         $this->bus->dispatch(
             new DeleteDiscussion($id, $actor, $input)
         );

src/Api/Controller/DeleteGroupController.php

@@ -10,15 +10,12 @@
 
 namespace Flarum\Api\Controller;
 
-use Flarum\Core\Access\AssertPermissionTrait;
 use Flarum\Core\Command\DeleteGroup;
 use Illuminate\Contracts\Bus\Dispatcher;
 use Psr\Http\Message\ServerRequestInterface;
 
 class DeleteGroupController extends AbstractDeleteController
 {
-    use AssertPermissionTrait;
-
     /**
      * @var Dispatcher
      */
@@ -37,8 +34,6 @@ class DeleteGroupController extends AbstractDeleteController
      */
     protected function delete(ServerRequestInterface $request)
     {
-        $this->assertSudo($request);
-
         $this->bus->dispatch(
             new DeleteGroup(array_get($request->getQueryParams(), 'id'), $request->getAttribute('actor'))
         );

src/Api/Controller/DeletePostController.php

@@ -10,15 +10,12 @@
 
 namespace Flarum\Api\Controller;
 
-use Flarum\Core\Access\AssertPermissionTrait;
 use Flarum\Core\Command\DeletePost;
 use Illuminate\Contracts\Bus\Dispatcher;
 use Psr\Http\Message\ServerRequestInterface;
 
 class DeletePostController extends AbstractDeleteController
 {
-    use AssertPermissionTrait;
-
     /**
      * @var Dispatcher
      */
@@ -37,8 +34,6 @@ class DeletePostController extends AbstractDeleteController
      */
     protected function delete(ServerRequestInterface $request)
     {
-        $this->assertSudo($request);
-
         $this->bus->dispatch(
             new DeletePost(array_get($request->getQueryParams(), 'id'), $request->getAttribute('actor'))
         );

src/Api/Controller/DeleteUserController.php

@@ -10,15 +10,12 @@
 
 namespace Flarum\Api\Controller;
 
-use Flarum\Core\Access\AssertPermissionTrait;
 use Flarum\Core\Command\DeleteUser;
 use Illuminate\Contracts\Bus\Dispatcher;
 use Psr\Http\Message\ServerRequestInterface;
 
 class DeleteUserController extends AbstractDeleteController
 {
-    use AssertPermissionTrait;
-
     /**
      * @var Dispatcher
      */
@@ -37,8 +34,6 @@ class DeleteUserController extends AbstractDeleteController
      */
     protected function delete(ServerRequestInterface $request)
     {
-        $this->assertSudo($request);
-
         $this->bus->dispatch(
             new DeleteUser(array_get($request->getQueryParams(), 'id'), $request->getAttribute('actor'))
         );

src/Api/Controller/SetPermissionController.php

@@ -25,7 +25,7 @@ class SetPermissionController implements ControllerInterface
      */
     public function handle(ServerRequestInterface $request)
     {
-        $this->assertAdminAndSudo($request);
+        $this->assertAdmin($request->getAttribute('actor'));
 
         $body = $request->getParsedBody();
         $permission = array_get($body, 'permission');

src/Api/Controller/SetSettingsController.php

@@ -47,7 +47,7 @@ class SetSettingsController implements ControllerInterface
      */
     public function handle(ServerRequestInterface $request)
     {
-        $this->assertAdminAndSudo($request);
+        $this->assertAdmin($request->getAttribute('actor'));
 
         $settings = $request->getParsedBody();
 

src/Api/Controller/UninstallExtensionController.php

@@ -33,7 +33,7 @@ class UninstallExtensionController extends AbstractDeleteController
 
     protected function delete(ServerRequestInterface $request)
     {
-        $this->assertAdminAndSudo($request);
+        $this->assertAdmin($request->getAttribute('actor'));
 
         $name = array_get($request->getQueryParams(), 'name');
 

src/Api/Controller/UpdateExtensionController.php

@@ -37,7 +37,7 @@ class UpdateExtensionController implements ControllerInterface
      */
     public function handle(ServerRequestInterface $request)
     {
-        $this->assertAdminAndSudo($request);
+        $this->assertAdmin($request->getAttribute('actor'));
 
         $enabled = array_get($request->getParsedBody(), 'enabled');
         $name = array_get($request->getQueryParams(), 'name');

src/Api/Controller/UpdateUserController.php

@@ -10,16 +10,14 @@
 
 namespace Flarum\Api\Controller;
 
-use Flarum\Core\Access\AssertPermissionTrait;
 use Flarum\Core\Command\EditUser;
+use Flarum\Core\Exception\PermissionDeniedException;
 use Illuminate\Contracts\Bus\Dispatcher;
 use Psr\Http\Message\ServerRequestInterface;
 use Tobscure\JsonApi\Document;
 
 class UpdateUserController extends AbstractResourceController
 {
-    use AssertPermissionTrait;
-
     /**
      * {@inheritdoc}
      */
@@ -52,7 +50,15 @@ class UpdateUserController extends AbstractResourceController
         $actor = $request->getAttribute('actor');
         $data = array_get($request->getParsedBody(), 'data', []);
 
-        $this->assertSudo($request);
+        // Require the user's current password if they are attempting to change
+        // their own email address.
+        if (isset($data['attributes']['email']) && $actor->id == $id) {
+            $password = array_get($request->getParsedBody(), 'meta.password');
+
+            if (! $actor->checkPassword($password)) {
+                throw new PermissionDeniedException;
+            }
+        }
 
         return $this->bus->dispatch(
             new EditUser($id, $actor, $data)