email: check the owner when set as primary (#5988)

* email: check the owner when set as primary Fixes a security issue reported by muxishuihan. * Update CHANGELOG
author: ᴜɴᴋɴᴡᴏɴ <u@gogs.io> 2020-03-15 18:58:56 +0800
committer: GitHub <noreply@github.com> 2020-03-15 18:58:56 +0800
commit: 82ff0c5852f29daa5f95d965fd50665581e7ea3c (patch)
tree: 25efa7f04324b3d59858f76bf3acbe2301a46136 /internal/route/user
parent: 07f71e2034e315d02f2d7148467e08acfa20a5cb (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/internal/route/user/setting.go b/internal/route/user/setting.go
index c61309c2..f09e4034 100644
--- a/internal/route/user/setting.go
+++ b/internal/route/user/setting.go
@@ -237,7 +237,7 @@ func SettingsEmailPost(c *context.Context, f form.AddEmail) {
 
 	// Make emailaddress primary.
 	if c.Query("_method") == "PRIMARY" {
-		if err := db.MakeEmailPrimary(&db.EmailAddress{ID: c.QueryInt64("id")}); err != nil {
+		if err := db.MakeEmailPrimary(c.UserID(), &db.EmailAddress{ID: c.QueryInt64("id")}); err != nil {
 			c.ServerError("MakeEmailPrimary", err)
 			return
 		}
author	ᴜɴᴋɴᴡᴏɴ <u@gogs.io>	2020-03-15 18:58:56 +0800
committer	GitHub <noreply@github.com>	2020-03-15 18:58:56 +0800
commit	82ff0c5852f29daa5f95d965fd50665581e7ea3c (patch)
tree	25efa7f04324b3d59858f76bf3acbe2301a46136 /internal/route/user
parent	07f71e2034e315d02f2d7148467e08acfa20a5cb (diff)