Avatar Authorization Bug

The method /users/:userId/avatar seems to check the user permission to update avatar, even when an administrator(higher-privileged user) runs it. 

When the user which owns the avatar can't change the avatar the api will reject the request, regardless of the executor.