From ec77aa0dfba2f7879e39383b8d9dc2eed0964434 Mon Sep 17 00:00:00 2001
From: Raghav Jajodia <jajodia.raghav@gmail.com>
Date: Sat, 4 Mar 2017 13:46:48 +0530
Subject: [PATCH] user_settings: Add auth check before confirm_email_change.

This isn't strictly necessary, but adds a little bit of extra security
to the overall email change flow.
---
 zerver/tests/test_email_change.py | 13 +++++++++++++
 zerver/views/user_settings.py     |  4 +++-
 2 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/zerver/tests/test_email_change.py b/zerver/tests/test_email_change.py
index fc3ce26114..d749f1f01c 100644
--- a/zerver/tests/test_email_change.py
+++ b/zerver/tests/test_email_change.py
@@ -47,10 +47,22 @@ class EmailChangeTestCase(ZulipTestCase):
         self.assertEqual(response.status_code, 200)
         self.assertIn("Whoops", response.content.decode('utf8'))
 
+    def test_email_change_when_not_logging_in(self):
+        # type: () -> None
+        key = generate_key()
+        with self.assertRaises(EmailChangeConfirmation.DoesNotExist):
+            url = EmailChangeConfirmation.objects.get_activation_url(key)
+
+        url = EmailChangeConfirmation.objects.get_activation_url(
+            key, 'testserver')
+        response = self.client_get(url)
+        self.assertEqual(response.status_code, 302)
+
     def test_confirm_email_change_when_time_exceeded(self):
         # type: () -> None
         old_email = 'hamlet@zulip.com'
         new_email = 'hamlet-new@zulip.com'
+        self.login('hamlet@zulip.com')
         user_profile = get_user_profile_by_email(old_email)
         obj = EmailChangeStatus.objects.create(new_email=new_email,
                                                old_email=old_email,
@@ -70,6 +82,7 @@ class EmailChangeTestCase(ZulipTestCase):
         # type: () -> None
         old_email = 'hamlet@zulip.com'
         new_email = 'hamlet-new@zulip.com'
+        self.login('hamlet@zulip.com')
         user_profile = get_user_profile_by_email(old_email)
         obj = EmailChangeStatus.objects.create(new_email=new_email,
                                                old_email=old_email,
diff --git a/zerver/views/user_settings.py b/zerver/views/user_settings.py
index 875e7faa97..26a4fc5854 100644
--- a/zerver/views/user_settings.py
+++ b/zerver/views/user_settings.py
@@ -11,7 +11,8 @@ from django.shortcuts import redirect, render
 from django.template.loader import render_to_string
 from django.urls import reverse
 
-from zerver.decorator import authenticated_json_post_view, has_request_variables, REQ
+from zerver.decorator import authenticated_json_post_view, has_request_variables, \
+    zulip_login_required, REQ
 from zerver.lib.actions import do_change_password, \
     do_change_enable_desktop_notifications, \
     do_change_enter_sends, do_change_enable_sounds, \
@@ -34,6 +35,7 @@ from zerver.models import UserProfile, Realm, name_changes_disabled, \
     EmailChangeStatus
 from confirmation.models import EmailChangeConfirmation
 
+@zulip_login_required
 def confirm_email_change(request, confirmation_key):
     # type: (HttpRequest, str) -> HttpResponse
     confirmation_key = confirmation_key.lower()