email: check the owner when set as primary (#5988)

* email: check the owner when set as primary Fixes a security issue reported by muxishuihan. * Update CHANGELOG
author: ᴜɴᴋɴᴡᴏɴ <u@gogs.io> 2020-03-15 18:58:56 +0800
committer: GitHub <noreply@github.com> 2020-03-15 18:58:56 +0800
commit: 82ff0c5852f29daa5f95d965fd50665581e7ea3c (patch)
tree: 25efa7f04324b3d59858f76bf3acbe2301a46136 /internal/db
parent: 07f71e2034e315d02f2d7148467e08acfa20a5cb (diff)
1 files changed, 5 insertions, 1 deletions
diff --git a/internal/db/user_mail.go b/internal/db/user_mail.go
index 440de084..37f0c2c0 100644
--- a/internal/db/user_mail.go
+++ b/internal/db/user_mail.go
@@ -160,7 +160,7 @@ func DeleteEmailAddresses(emails []*EmailAddress) (err error) {
 	return nil
 }
 
-func MakeEmailPrimary(email *EmailAddress) error {
+func MakeEmailPrimary(userID int64, email *EmailAddress) error {
 	has, err := x.Get(email)
 	if err != nil {
 		return err
@@ -168,6 +168,10 @@ func MakeEmailPrimary(email *EmailAddress) error {
 		return errors.EmailNotFound{Email: email.Email}
 	}
 
+	if email.UID != userID {
+		return errors.New("not the owner of the email")
+	}
+
 	if !email.IsActivated {
 		return errors.EmailNotVerified{Email: email.Email}
 	}
author	ᴜɴᴋɴᴡᴏɴ <u@gogs.io>	2020-03-15 18:58:56 +0800
committer	GitHub <noreply@github.com>	2020-03-15 18:58:56 +0800
commit	82ff0c5852f29daa5f95d965fd50665581e7ea3c (patch)
tree	25efa7f04324b3d59858f76bf3acbe2301a46136 /internal/db
parent	07f71e2034e315d02f2d7148467e08acfa20a5cb (diff)