Skip to content

fix: use the right user id when changing the email#41539

Merged
DeepDiver1975 merged 4 commits into
masterfrom
fix_userid_mail
May 21, 2026
Merged

fix: use the right user id when changing the email#41539
DeepDiver1975 merged 4 commits into
masterfrom
fix_userid_mail

Conversation

@jvillafanez

@jvillafanez jvillafanez commented Apr 21, 2026

Copy link
Copy Markdown
Member

Description

Change the email of the right user. Note that the code path isn't reachable from the web UI.
Note that there are checks some lines above for the existence of the user, so if we reach this particular line we know that there is an existing user with that id, no need to check it again.

Related Issue

  • Fixes <issue_link>

Motivation and Context

How Has This Been Tested?

Manually tested using curl. It now changes the target user's email instead of the admin's (requester) email.

Screenshots (if appropriate):

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Database schema changes (next release will require increase of minor version instead of patch)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Technical debt
  • Tests only (no source changes)

Checklist:

  • Code changes
  • Unit tests added
  • Acceptance tests added
  • Documentation ticket raised:
  • Changelog item, see TEMPLATE

@jvillafanez jvillafanez self-assigned this Apr 21, 2026
@update-docs

update-docs Bot commented Apr 21, 2026

Copy link
Copy Markdown

Thanks for opening this pull request! The maintainers of this repository would appreciate it if you would create a changelog item based on your changes.

DeepDiver1975
DeepDiver1975 reviewed Apr 21, 2026
View reviewed changes

@DeepDiver1975 DeepDiver1975 left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

unit testable? Thank you

@jvillafanez
test: adjust unit test to ensure the mail is set for the user2
5e57b95 
Previously, the test only used one user, so it was difficult to verify
that the mail was changed for the user2 instead of user1
@DeepDiver1975

DeepDiver1975 commented May 21, 2026

Copy link
Copy Markdown
Member

Code Review

Overview

This PR fixes a bug in UsersController::setMailAddress() where an admin changing another user's email address would accidentally update the admin's own email instead of the target user's email. The root cause is a one-character variable name bug: $userId (the logged-in admin's ID) was used instead of $id (the function parameter — the target user's ID).

Source Fix

settings/Controller/UsersController.php:975

- $this->setEmailAddress($userId, $mailAddress);
+ $this->setEmailAddress($id, $mailAddress);

Correct and minimal. The fix is exactly right — $id is the parameter passed to setMailAddress($id, $mailAddress), i.e. the target user. $userId is the currently logged-in user (the admin). The PR author's note is important: this code path is only reachable via direct API calls, not the web UI — which explains why this wasn't caught earlier.

Test Changes

Improvements:

  • Typo fixed: $chanChangeMailAddress$canChangeMailAddress — good cleanup.
  • The test now correctly verifies that setEMailAddress is called on $user2 (the target, anotherUserId) rather than $user (the admin, foo). This is the right way to test the actual behavior of the fix.
  • willReturnMap for the Config::getUserValue mock is cleaner than the previous single-value stub.

Concerns:

  1. Switch without a default case — the UserManager::get() callback returns null implicitly for unknown IDs. A default: return null; would make intent explicit.

  2. Test condition may not match production logicsetEMailAddress is only expected when $isValid && $canChangeMailAddress. But the production code path being tested is the admin path ($this->isAdmin = true), which skips the canChangeMailAddress check. If canChangeMailAddress is false, should the admin path still set the email? The test says no — but this needs verification against the controller logic.

  3. No never() assertion on the admin user mock$user->setEMailAddress is no longer expected at all. If production code accidentally called setEMailAddress on $user (the admin) as well, no assertion would catch it. Adding $user->expects($this->never())->method('setEMailAddress') would make the test more defensive.

Process

  • No linked issue — Fixes <issue_link> is unfilled.
  • "Unit tests added" is unchecked — tests were updated, so this should be checked.
  • No changelog entry — the checklist item is unchecked and no changelog file is present in the diff.

Summary

Category Assessment
Correctness The one-line fix is correct
Test coverage Good improvement, but missing never() assertion on admin mock
Test logic accuracy Needs verification that $isValid && $canChangeMailAddress matches the admin code path
Security Low-severity (API-only), but the fix is still important for correctness

The core fix is sound. I'd suggest:

  1. Adding $user->expects($this->never())->method('setEMailAddress') to guard against regressions,
  2. Clarifying whether the admin path truly respects canChangeMailAddress, and
  3. Adding a linked issue + changelog entry before merging.

@DeepDiver1975 DeepDiver1975 merged commit 3ff2884 into master May 21, 2026
12 checks passed
@DeepDiver1975 DeepDiver1975 deleted the fix_userid_mail branch May 21, 2026 14:10
@DeepDiver1975 DeepDiver1975 mentioned this pull request May 21, 2026
Merged
4 tasks
DeepDiver1975 added a commit that referenced this pull request May 21, 2026
@jvillafanez @DeepDiver1975
fix: use the right user id when changing the email (#41539)
1a39ef5 
* fix: use the right user id when changing the email

* test: adjust unit test to ensure the mail is set for the user2

Previously, the test only used one user, so it was difficult to verify
that the mail was changed for the user2 instead of user1

* docs: add changelog entry for PR #41539

* fix: include test to ensure the mail of the caller isn't changed

---------

Co-authored-by: Thomas Müller <1005065+DeepDiver1975@users.noreply.github.com>
(cherry picked from commit 3ff2884)
Signed-off-by: Thomas Müller <1005065+DeepDiver1975@users.noreply.github.com>
DeepDiver1975 added a commit that referenced this pull request Jun 1, 2026
@DeepDiver1975 @claude @jvillafanez
feat: release 10.16.3 (#41559)
62069fd 
* fix(security): OC10-75 - restrict AppConfigController read methods to full admins only (#41550)

* fix(security): restrict AppConfigController read methods to full admins only

OC10-75: Subadmins could read all oc_appconfig values including SMTP
passwords and LDAP credentials via getApps/getKeys/getValue endpoints.
Remove @NoAdminRequired so AdminMiddleware enforces full-admin-only access,
consistent with the write methods.

CVSS: 7.7
Signed-off-by: Thomas Müller <1005065+DeepDiver1975@users.noreply.github.com>

* fix: replace OC.AppConfig.getValue in users.js with server-rendered checkbox state

The umgmt_set_password value is already rendered server-side into
#CheckBoxPasswordOnUserCreate's checked attribute. Remove the redundant
AJAX call which would now return 403 for Subadmins after the security fix.

Signed-off-by: Thomas Müller <1005065+DeepDiver1975@users.noreply.github.com>

* chore: add changelog entry for OC10-75 (#41550)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Signed-off-by: Thomas Müller <1005065+DeepDiver1975@users.noreply.github.com>

---------

Signed-off-by: Thomas Müller <1005065+DeepDiver1975@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix(comments): prevent IDOR in WebDAV comments API (#41558)

* test(comments): stub objectType/objectId in EntityCollection happy-path tests

Signed-off-by: Thomas Müller <1005065+DeepDiver1975@users.noreply.github.com>

* test(comments): add failing IDOR regression tests for EntityCollection

Signed-off-by: Thomas Müller <1005065+DeepDiver1975@users.noreply.github.com>

* fix(comments): prevent IDOR in WebDAV comments API by checking comment ownership

An authenticated user could PROPFIND/DELETE/PROPPATCH any comment by
supplying an arbitrary comment_id paired with any file_id they own.
EntityCollection::getChild() and childExists() now verify that the
fetched comment's objectType and objectId match the collection's own
entity type and file ID before returning or confirming the node.

Fixes OC10-53

Signed-off-by: Thomas Müller <1005065+DeepDiver1975@users.noreply.github.com>

* docs: add changelog entry for OC10-53 IDOR fix in WebDAV comments API

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Signed-off-by: Thomas Müller <1005065+DeepDiver1975@users.noreply.github.com>

---------

Signed-off-by: Thomas Müller <1005065+DeepDiver1975@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>

* fix(security): update phpseclib/phpseclib to 3.0.52 for CVE-2026-40194

CVE-2026-40194: timing attack in SSH binary packet processing fixed in 3.0.51.
Also picks up 3.0.52 correctness fixes (ASN.1 hardening, OpenSSL 3.2+ RSA compat).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Signed-off-by: Thomas Müller <1005065+DeepDiver1975@users.noreply.github.com>

* fix(security): update symfony/routing to 5.4.52 for CVE-2026-45065

CVE-2026-45065: UrlGenerator regex alternation anchoring bypass allowing
off-site URL injection via route requirement validation.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Signed-off-by: Thomas Müller <1005065+DeepDiver1975@users.noreply.github.com>

* fix: check for the identifier alias for the storage backend (#41538)

* fix: check for the identifier alias for the storage backend

* test: add unit tests to local external storage

* chore: add changelog entry

* fix: move backend checks to a different place

* fix: adjust unit tests

* fix: visibility for local storage for the admin based on flag

Without the visibility, the admin won't be able to create local
storages, and the previously created local mounts will be hidden and
inaccessible

* fix: review comments

* fix: remove user mounting check in controller and rely on validation

* fix: adjust code based on reviews

(cherry picked from commit 5c7dfc0)
Signed-off-by: Thomas Müller <1005065+DeepDiver1975@users.noreply.github.com>

* fix: use the right user id when changing the email (#41539)

* fix: use the right user id when changing the email

* test: adjust unit test to ensure the mail is set for the user2

Previously, the test only used one user, so it was difficult to verify
that the mail was changed for the user2 instead of user1

* docs: add changelog entry for PR #41539

* fix: include test to ensure the mail of the caller isn't changed

---------

Co-authored-by: Thomas Müller <1005065+DeepDiver1975@users.noreply.github.com>
(cherry picked from commit 3ff2884)
Signed-off-by: Thomas Müller <1005065+DeepDiver1975@users.noreply.github.com>

* chore: add changelog for 10.16.3

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Signed-off-by: Thomas Müller <1005065+DeepDiver1975@users.noreply.github.com>

* ci: fix lint pipeline and sync with master

* chore: set version properly and generate changelog

Signed-off-by: Thomas Müller <1005065+DeepDiver1975@users.noreply.github.com>

---------

Signed-off-by: Thomas Müller <1005065+DeepDiver1975@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: Juan Pablo Villafañez <jpvillafanez@izertis.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@DeepDiver1975 DeepDiver1975 DeepDiver1975 left review comments

Assignees

@jvillafanez jvillafanez

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jvillafanez @DeepDiver1975