From 7015663741aa2f9bc2f383d0e516e371dd5b47c1 Mon Sep 17 00:00:00 2001
From: Charlie DeTar <cfd@media.mit.edu>
Date: Thu, 26 Mar 2015 14:39:36 -0600
Subject: [PATCH] Add userId param to changeEmail method

Fixes #852.
---
 client/views/users/account/user_account.js |  2 +-
 server/users.js                            | 10 +++++++---
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/client/views/users/account/user_account.js b/client/views/users/account/user_account.js
index 73e185612..337ee7785 100644
--- a/client/views/users/account/user_account.js
+++ b/client/views/users/account/user_account.js
@@ -89,7 +89,7 @@ Template[getTemplate('userAccount')].events({
       });
     });
 
-    Meteor.call('changeEmail', email);
+    Meteor.call('changeEmail', user._id, email);
 
   }
 
diff --git a/server/users.js b/server/users.js
index d892e5f1c..e587300aa 100644
--- a/server/users.js
+++ b/server/users.js
@@ -57,11 +57,15 @@ Accounts.onCreateUser(function(options, user){
 
 
 Meteor.methods({
-  changeEmail: function (newEmail) {
+  changeEmail: function (userId, newEmail) {
+    var user = Meteor.users.findOne(userId);
+    if (can.edit(user) !== true) {
+      throw new Meteor.Error("Permission denied");
+    }
     Meteor.users.update(
-      Meteor.userId(),
+      userId,
       {$set: {
-          emails: [{address: newEmail}],
+          emails: [{address: newEmail, verified: false}],
           email_hash: Gravatar.hash(newEmail),
           // Just in case this gets called from somewhere other than /client/views/users/user_edit.js
           "profile.email": newEmail