Admin: don't search for banned users without the scope

An admin must have the admin.user.ban scope in order to search for banned or disabled users in the member directory.
2024-05-11 14:10:59 -07:00 · 2024-05-11 14:10:59 -07:00 · ed008a99e6
commit ed008a99e6
parent 7c7d3a11e5
2 changed files with 2 additions and 2 deletions
--- a/pkg/models/user.go
+++ b/pkg/models/user.go
@ -366,7 +366,7 @@ func SearchUsers(user *User, search *UserSearch, pager *Pagination) ([]*User, er

 	// Only admin user can show disabled/banned users.
 	var statuses = []string{}
-	if user.IsAdmin {
+	if user.HasAdminScope(config.ScopeUserBan) {
 		if search.IsBanned {
 			statuses = append(statuses, UserStatusBanned)
 		}
--- a/web/templates/account/search.html
+++ b/web/templates/account/search.html
@ -101,7 +101,7 @@
                                            {{end}}
                                            <option value="admin"{{if eq $Root.Certified "admin"}} selected{{end}}>Website administrators</option>
                                        </optgroup>
-                                        {{if .CurrentUser.IsAdmin}}
+                                        {{if .CurrentUser.HasAdminScope "admin.user.ban"}}
                                        <optgroup label="Admin Options">
                                            <option value="banned"{{if eq $Root.Certified "banned"}} selected{{end}}>☮ Banned</option>
                                            <option value="disabled"{{if eq $Root.Certified "disabled"}} selected{{end}}>☮ Disabled</option>