From 2eae968a70654d7e5f2393c06ef21d20e621dcdf Mon Sep 17 00:00:00 2001
From: Clark Winkelmann <clark.winkelmann@gmail.com>
Date: Wed, 31 Jan 2018 16:36:42 +0100
Subject: [PATCH] Assert permission when updating avatar

---
 src/User/Command/EditUserHandler.php | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/User/Command/EditUserHandler.php b/src/User/Command/EditUserHandler.php
index 3554038b5..5e9c48d38 100644
--- a/src/User/Command/EditUserHandler.php
+++ b/src/User/Command/EditUserHandler.php
@@ -147,6 +147,8 @@ class EditUserHandler
         }
 
         if ($avatarUrl = array_get($attributes, 'avatarUrl')) {
+            $this->assertPermission($canEdit);
+
             $validation = $this->validatorFactory->make(compact('avatarUrl'), ['avatarUrl' => 'url']);
 
             if ($validation->fails()) {
@@ -161,6 +163,8 @@ class EditUserHandler
                 //
             }
         } elseif (array_key_exists('avatarUrl', $attributes)) {
+            $this->assertPermission($canEdit);
+
             $this->avatarUploader->remove($user);
         }