A user can add any arbitrary email to "Linked emails" without proving that she or he actually owns the email address
Summary
When adding an email to "Linked emails" in the profile settings I don't have to prove that the email actually belongs to me. There are two problems with this:
- I can claim ownership of any email and prevent the actual owner from adding the email to his profile
- I can claim ownership of any email and claim the ownership of the corresponding commits
- (Future problem, not implemented yet: For the GPG key verification https://gitlab.com/gitlab-org/gitlab-ce/issues/20268 we need to be able to verify the emails)
Steps to reproduce
- Login into Gitlab
- Go to Settings > Emails
- Fill in any (unclaimed) email to the field "Email"
- Click on "Add email address"
What is the current bug behavior?
The email address is registered as the users' email.
What is the expected correct behavior?
The email should only be registered to the user's profile after proving that the user actually owns the email address.
Possible fixes
Adding an email address should send a verification email to the added email address. Only after clicking on the verification link in the email the email is added to the user's profile.