Fix leak of private information when updating users

Fixes #1628.

framework/core/src/Api/Controller/UpdateUserController.php

@@ -12,6 +12,7 @@
 namespace Flarum\Api\Controller;
 
 use Flarum\Api\Serializer\CurrentUserSerializer;
+use Flarum\Api\Serializer\UserSerializer;
 use Flarum\User\Command\EditUser;
 use Flarum\User\Exception\PermissionDeniedException;
 use Illuminate\Contracts\Bus\Dispatcher;
@@ -23,7 +24,7 @@ class UpdateUserController extends AbstractShowController
     /**
      * {@inheritdoc}
      */
-    public $serializer = CurrentUserSerializer::class;
+    public $serializer = UserSerializer::class;
 
     /**
      * {@inheritdoc}
@@ -52,6 +53,10 @@ class UpdateUserController extends AbstractShowController
         $actor = $request->getAttribute('actor');
         $data = array_get($request->getParsedBody(), 'data', []);
 
+        if ($actor->id == $id) {
+            $this->serializer = CurrentUserSerializer::class;
+        }
+
         // Require the user's current password if they are attempting to change
         // their own email address.
         if (isset($data['attributes']['email']) && $actor->id == $id) {