Ensure only own addresses are updated (#10397)

models/user.go

 		data := com.ToStr(user.ID) + email + user.LowerName + user.Passwd + user.Rands
 
 		if base.VerifyTimeLimitCode(data, minutes, prefix) {
-			emailAddress := &EmailAddress{Email: email}
+			emailAddress := &EmailAddress{UID: user.ID, Email: email}
 			if has, _ := x.Get(emailAddress); has {
 				return emailAddress
 			}

models/user_mail.go

 	}
 
 	// Make sure the former primary email doesn't disappear.
-	formerPrimaryEmail := &EmailAddress{Email: user.Email}
+	formerPrimaryEmail := &EmailAddress{UID: user.ID, Email: user.Email}
 	has, err = x.Get(formerPrimaryEmail)
 	if err != nil {
 		return err