2 files changed, 28 insertions, 0 deletions

diff --git a/src/mailman/model/member.py b/src/mailman/model/member.py
index 410f037dc..095e6fae7 100644
--- a/src/mailman/model/member.py
+++ b/src/mailman/model/member.py
@@ -114,6 +114,9 @@ class Member(Model):
             # A member cannot change their subscription address to an
             # unverified address.
             raise UnverifiedAddressError(new_address)
+        user = getUtility(IUserManager).get_user(new_address.email)
+        if user is None or user != self.user:
+            raise MembershipError('Address is not controlled by user')
         self._address = new_address
 
     @property
diff --git a/src/mailman/model/tests/test_member.py b/src/mailman/model/tests/test_member.py
index b99ff4911..7906d8983 100644
--- a/src/mailman/model/tests/test_member.py
+++ b/src/mailman/model/tests/test_member.py
@@ -71,6 +71,31 @@ class TestMember(unittest.TestCase):
         self.assertRaises(UnverifiedAddressError,
                           setattr, member, 'address', new_address)
 
+    def test_cannot_change_to_address_uncontrolled_address(self):
+        # A user tries to change their subscription to an address they do not
+        # control.
+        anne = self._usermanager.create_user('anne@example.com')
+        address = list(anne.addresses)[0]
+        member = self._mlist.subscribe(address)
+        new_address = self._usermanager.create_address('nobody@example.com')
+        new_address.verified_on = now()
+        # The new address is not verified.
+        self.assertRaises(MembershipError,
+                          setattr, member, 'address', new_address)
+
+    def test_cannot_change_to_address_controlled_by_other_user(self):
+        # A user tries to change their subscription to an address some other
+        # user controls.
+        anne = self._usermanager.create_user('anne@example.com')
+        anne_address = list(anne.addresses)[0]
+        bart = self._usermanager.create_user('bart@example.com')
+        bart_address = list(bart.addresses)[0]
+        bart_address.verified_on = now()
+        member = self._mlist.subscribe(anne_address)
+        # The new address is not verified.
+        self.assertRaises(MembershipError,
+                          setattr, member, 'address', bart_address)
+
 
 
 def test_suite():