From 0322e984e0f559973064b227615a1497601ffd1c Mon Sep 17 00:00:00 2001
From: Julian Lam <julian@nodebb.org>
Date: Thu, 3 Feb 2022 15:41:40 -0500
Subject: [PATCH] fix: #10236, don't check email:uid, instead verify an email
 confirmation is active

---
 src/controllers/write/users.js | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/src/controllers/write/users.js b/src/controllers/write/users.js
index 3ab37025ca..140cf6c171 100644
--- a/src/controllers/write/users.js
+++ b/src/controllers/write/users.js
@@ -265,8 +265,8 @@ Users.getEmail = async (req, res) => {
 };
 
 Users.confirmEmail = async (req, res) => {
-	const [exists, canManage] = await Promise.all([
-		db.isSortedSetMember('email:uid', req.params.email.toLowerCase()),
+	const [pending, canManage] = await Promise.all([
+		user.email.isValidationPending(req.params.uid, req.params.email),
 		privileges.admin.can('admin:users', req.uid),
 	]);
 
@@ -274,8 +274,9 @@ Users.confirmEmail = async (req, res) => {
 		helpers.notAllowed(req, res);
 	}
 
-	if (exists) {
-		await user.email.confirmByUid(req.params.uid);
+	if (pending) {
+		const code = await db.get(`confirm:byUid:${req.params.uid}`);
+		await user.email.confirmByCode(code, req.session.id);
 		helpers.formatApiResponse(200, res);
 	} else {
 		helpers.formatApiResponse(404, res);