From 7e4521a206f2514e303fef7bcb95c7491922cdbc Mon Sep 17 00:00:00 2001
From: joshuaruesweg <josh@joshsboard.de>
Date: Wed, 20 May 2015 17:28:44 +0200
Subject: [PATCH] fix email leak in user search form

---
 wcfsetup/install/files/acp/templates/userSearch.tpl          | 4 +++-
 wcfsetup/install/files/lib/acp/form/UserSearchForm.class.php | 5 +++++
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/wcfsetup/install/files/acp/templates/userSearch.tpl b/wcfsetup/install/files/acp/templates/userSearch.tpl
index d06c1c246c..b18b97d1e4 100644
--- a/wcfsetup/install/files/acp/templates/userSearch.tpl
+++ b/wcfsetup/install/files/acp/templates/userSearch.tpl
@@ -217,7 +217,9 @@
 				<dl>
 					<dt><label>{lang}wcf.acp.user.search.display.columns.other{/lang}</label></dt>
 					<dd>
-						<label><input type="checkbox" name="columns[]" value="email" {if "email"|in_array:$columns}checked="checked" {/if}/> {lang}wcf.user.email{/lang}</label>
+						{if $__wcf->session->getPermission('admin.user.canEditMailAddress')}
+							<label><input type="checkbox" name="columns[]" value="email" {if "email"|in_array:$columns}checked="checked" {/if}/> {lang}wcf.user.email{/lang}</label>
+						{/if}
 						<label><input type="checkbox" name="columns[]" value="registrationDate" {if "registrationDate"|in_array:$columns}checked="checked"{/if}/> {lang}wcf.user.registrationDate{/lang}</label>
 						<label><input type="checkbox" name="columns[]" value="lastActivityTime" {if "lastActivityTime"|in_array:$columns}checked="checked"{/if}/> {lang}wcf.user.lastActivityTime{/lang}</label>
 						<label><input type="checkbox" name="columns[]" value="profileHits" {if "profileHits"|in_array:$columns}checked="checked"{/if}/> {lang}wcf.user.profileHits{/lang}</label>
diff --git a/wcfsetup/install/files/lib/acp/form/UserSearchForm.class.php b/wcfsetup/install/files/lib/acp/form/UserSearchForm.class.php
index df27874eb1..ab5bcdb4c9 100755
--- a/wcfsetup/install/files/lib/acp/form/UserSearchForm.class.php
+++ b/wcfsetup/install/files/lib/acp/form/UserSearchForm.class.php
@@ -314,6 +314,11 @@ class UserSearchForm extends UserOptionListForm {
 	public function validate() {
 		AbstractForm::validate();
 		
+		// remove email column for not authorized users
+		if (!WCF::getSession()->getPermission('admin.user.canEditMailAddress') && ($key = array_search('email', $this->columns)) !== false) {
+			unset($this->columns[$key]);	
+		}
+		
 		// do search
 		$this->search();
 		
-- 
2.20.1