Rocket.Chat version: 0.47

Currently, If you hit the user.create or user.update routes while logged into the api as admin, you are still limited to the RateLimit of functions

• setUsername here https://github.com/RocketChat/Rocket.Chat/blob/develop/packages/rocketchat-lib/server/functions/setUsername.coffee#L65
• setEmail here https://github.com/RocketChat/Rocket.Chat/blob/develop/packages/rocketchat-lib/server/functions/setEmail.js

I believe this is because in the RateLimit function https://github.com/RocketChat/Rocket.Chat/blob/develop/packages/rocketchat-lib/server/functions/setEmail.js, userId is the id of the user who's email/username you are updating, not the userId of the user making the call (this.userId() or Meteor.userId()).

If the user has the permission edit-other-user-info, they can only edit their own username without any limitations (or those users who also have the permission edit-other-user-info). This seems to be different then the intended purpose of the line

return not userId or not RocketChat.authz.hasPermission(userId, 'edit-other-user-info')

which to me means admins (or those with that permission) should be able to update those values without the rate limit.

At the very least a rate limit of 1 minute between updating an user's email from the API while logged in as the admin seems rough to me.

Thoughts?