Skip to content

fix: use the right user id when changing the email #41539

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
DeepDiver1975 merged 4 commits into from
May 21, 2026
+42 −30
Merged

fix: use the right user id when changing the email #41539

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
1fbf503
fix: use the right user id when changing the email
jvillafanez Apr 21, 2026
5e57b95
test: adjust unit test to ensure the mail is set for the user2
jvillafanez Apr 22, 2026
b6972d9
docs: add changelog entry for PR #41539
DeepDiver1975 May 21, 2026
a6608f2
fix: include test to ensure the mail of the caller isn't changed
jvillafanez May 21, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions changelog/unreleased/41539
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
Fix: Use the correct user ID when changing email via admin API

The admin API endpoint for changing a user's email address was incorrectly using the requesting admin's user ID instead of the target user's ID, causing the admin's email to be updated rather than the intended user's.

https://github.com/owncloud/core/pull/41539
2 changes: 1 addition & 1 deletion settings/Controller/UsersController.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -972,7 +972,7 @@ public function setMailAddress($id, $mailAddress) {

// admins can set email without verification
if ($mailAddress === '' || $this->isAdmin) {
$this->setEmailAddress($userId, $mailAddress);
$this->setEmailAddress($id, $mailAddress);
return new DataResponse(
[
'status' => 'success',
Expand Down
65 changes: 36 additions & 29 deletions tests/Settings/Controller/UsersControllerTest.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2183,28 +2183,31 @@ public function setEmailAddressData(): array {
* @param string $mailAddress
* @param bool $isValid
* @param bool $expectsUpdate
* @param bool $chanChangeMailAddress
* @param bool $canChangeMailAddress
* @param bool $responseCode
*/
public function testSetEmailAddress($mailAddress, $isValid, $expectsUpdate, $chanChangeMailAddress, $responseCode): void {
public function testSetEmailAddress($mailAddress, $isValid, $expectsUpdate, $canChangeMailAddress, $responseCode): void {
$this->container['IsAdmin'] = true;

$user = $this->getMockBuilder(User::class)
->disableOriginalConstructor()->getMock();
$user
->method('getUID')
->willReturn('foo');
$user
->method('getEMailAddress')
->willReturn('foo@local');
$user
->method('canChangeMailAddress')
->willReturn($chanChangeMailAddress);
$user
->method('setEMailAddress')
->with(
$this->equalTo($mailAddress)
);
$user = $this->createMock(User::class);
$user->method('getUID')->willReturn('foo');
$user->method('getEMailAddress')->willReturn('foo@local');
$user->method('canChangeMailAddress')->willReturn($canChangeMailAddress);
$user->expects($this->never())->method('setEmailAddress');

$user2 = $this->createMock(User::class);
$user2->method('getUID')->willReturn('anotherUserId');
$user2->method('getEMailAddress')->willReturn('another@local');
$user2->method('canChangeMailAddress')->willReturn($canChangeMailAddress);

if ($isValid && $canChangeMailAddress) {
$user2
->expects($this->once())
->method('setEMailAddress')
->with(
$this->equalTo($mailAddress)
);
}

$this->container['UserSession']
->expects($this->atLeastOnce())
Expand All @@ -2215,24 +2218,28 @@ public function testSetEmailAddress($mailAddress, $isValid, $expectsUpdate, $cha
->with($mailAddress)
->willReturn($isValid);

if ($isValid) {
$user->expects($this->atLeastOnce())
->method('canChangeMailAddress')
->willReturn(true);
}

$this->container['Config']
->method('getUserValue')
->with('foo', 'owncloud', 'changeMail')
->willReturn('12000:AVerySecretToken');
->willReturnMap([
['foo', 'owncloud', 'changeMail', '12000:AVerySecretToken'],
['anotherUserId', 'owncloud', 'changeMail', '120:ASecretToken'],
]);
$this->container['TimeFactory']
->method('getTime')
->willReturnOnConsecutiveCalls(12301, 12348);
$this->container['UserManager']
->expects($this->atLeastOnce())
->method('get')
->with('foo')
->willReturn($user);
->willReturnCallback(function ($id) use ($user, $user2) {
switch($id) {
case "foo":
return $user;
case "anotherUserId":
return $user2;
default:
return null;
}
});
$this->container['SecureRandom']
->method('generate')
->with('21')
Expand Down Expand Up @@ -2265,7 +2272,7 @@ public function testSetEmailAddress($mailAddress, $isValid, $expectsUpdate, $cha
->method('send')
->with($message);

$response = $this->container['UsersController']->setMailAddress($user->getUID(), $mailAddress);
$response = $this->container['UsersController']->setMailAddress("anotherUserId", $mailAddress);
$this->assertSame($responseCode, $response->getStatus());
}

Expand Down
Loading