From c5c443c75679f4bc161096d9f1624325a34b6b6b Mon Sep 17 00:00:00 2001
From: Chih-Hung Hsieh <chh@google.com>
Date: Wed, 16 May 2018 11:44:50 -0700
Subject: [PATCH] Do not use o=ALL_EMAILS parameter.

For security reason, this REST API parameter needs account modification
permission to get all email addresses. Now changed to ask only account
number to verify an email address.

Bug: 79863374
Test: test with existing OWNERS
Change-Id: Ic913b7ad96a69c35d1d91e5871f4c5636e73533d
---
 tools/checkowners.py | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/tools/checkowners.py b/tools/checkowners.py
index 1190d30f2c..54198a7e96 100755
--- a/tools/checkowners.py
+++ b/tools/checkowners.py
@@ -30,12 +30,11 @@ def echo(msg):
 
 def find_address(address):
   if address not in checked_addresses:
-    request = (gerrit_server + '/accounts/?n=1&o=ALL_EMAILS&q=email:'
+    request = (gerrit_server + '/accounts/?n=1&q=email:'
                + urllib.quote(address))
     echo('Checking email address: ' + address)
     result = urllib2.urlopen(request).read()
-    checked_addresses[address] = (
-        result.find('"email":') >= 0 and result.find('"_account_id":') >= 0)
+    checked_addresses[address] = result.find('"_account_id":') >= 0
   return checked_addresses[address]