From 82ff0c5852f29daa5f95d965fd50665581e7ea3c Mon Sep 17 00:00:00 2001
From: ᴜɴᴋɴᴡᴏɴ <u@gogs.io>
Date: Sun, 15 Mar 2020 18:58:56 +0800
Subject: email: check the owner when set as primary (#5988)

* email: check the owner when set as primary

Fixes a security issue reported by muxishuihan.

* Update CHANGELOG
---
 internal/route/user/setting.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'internal/route')

diff --git a/internal/route/user/setting.go b/internal/route/user/setting.go
index c61309c2..f09e4034 100644
--- a/internal/route/user/setting.go
+++ b/internal/route/user/setting.go
@@ -237,7 +237,7 @@ func SettingsEmailPost(c *context.Context, f form.AddEmail) {
 
 	// Make emailaddress primary.
 	if c.Query("_method") == "PRIMARY" {
-		if err := db.MakeEmailPrimary(&db.EmailAddress{ID: c.QueryInt64("id")}); err != nil {
+		if err := db.MakeEmailPrimary(c.UserID(), &db.EmailAddress{ID: c.QueryInt64("id")}); err != nil {
 			c.ServerError("MakeEmailPrimary", err)
 			return
 		}
-- 
cgit v1.2.3