diff --git a/src/postorius/views/list.py b/src/postorius/views/list.py index 37d7ff6b..cd4967b9 100644 --- a/src/postorius/views/list.py +++ b/src/postorius/views/list.py @@ -502,6 +502,15 @@ class ListUnsubscribeView(MailingListView): @method_decorator(login_required) def post(self, request, *args, **kwargs): email = request.POST['email'] + # Verify the user actually controls this email, should + # return 1 if the user owns the email, 0 otherwise. + found_email = EmailAddress.objects.filter( + user=request.user, email=email, verified=True).count() + if found_email == 0: + messages.error( + request, + _('You can only unsubscribe yourself.')) + return redirect('list_summary', self.mailing_list.list_id) try: self.mailing_list.unsubscribe(email) messages.success(request, _('%s has been unsubscribed'