fixed vulnerabilities (#392)

2016-12-15 16:49:06 +08:00 · 2016-12-15 16:49:06 +08:00 · b4c794058a
commit b4c794058a
parent d771e978a1
4 changed files with 37 additions and 12 deletions
--- a/models/token.go
+++ b/models/token.go
@ -88,7 +88,14 @@ func UpdateAccessToken(t *AccessToken) error {
 }

 // DeleteAccessTokenByID deletes access token by given ID.
-func DeleteAccessTokenByID(id int64) error {
-	_, err := x.Id(id).Delete(new(AccessToken))
-	return err
+func DeleteAccessTokenByID(id, userID int64) error {
+	cnt, err := x.Id(id).Delete(&AccessToken{
+		UID: userID,
+	})
+	if err != nil {
+		return err
+	} else if cnt != 1 {
+		return ErrAccessTokenNotExist{}
+	}
+	return nil
 }
--- a/models/user_mail.go
+++ b/models/user_mail.go
@ -5,10 +5,16 @@
 package models

 import (
+	"errors"
 	"fmt"
 	"strings"
 )

+var (
+	// ErrEmailAddressNotExist email address not exist
+	ErrEmailAddressNotExist = errors.New("Email address does not exist")
+)
+
 // EmailAddress is the list of all email addresses of a user. Can contain the
 // primary email address, but is not obligatory.
 type EmailAddress struct {
@ -139,14 +145,25 @@ func (email *EmailAddress) Activate() error {

 // DeleteEmailAddress deletes an email address of given user.
 func DeleteEmailAddress(email *EmailAddress) (err error) {
-	if email.ID > 0 {
-		_, err = x.Id(email.ID).Delete(new(EmailAddress))
-	} else {
-		_, err = x.
-			Where("email=?", email.Email).
-			Delete(new(EmailAddress))
+	var deleted int64
+	// ask to check UID
+	var address = EmailAddress{
+		UID: email.UID,
 	}
-	return err
+	if email.ID > 0 {
+		deleted, err = x.Id(email.ID).Delete(&address)
+	} else {
+		deleted, err = x.
+			Where("email=?", email.Email).
+			Delete(&address)
+	}
+
+	if err != nil {
+		return err
+	} else if deleted != 1 {
+		return ErrEmailAddressNotExist
+	}
+	return nil
 }

 // DeleteEmailAddresses deletes multiple email addresses
--- a/routers/api/v1/user/email.go
+++ b/routers/api/v1/user/email.go
@ -73,6 +73,7 @@ func DeleteEmail(ctx *context.APIContext, form api.CreateEmailOption) {
 	for i := range form.Emails {
 		emails[i] = &models.EmailAddress{
 			Email: form.Emails[i],
+			UID:   ctx.User.ID,
 		}
 	}

--- a/routers/user/setting.go
+++ b/routers/user/setting.go
@ -287,7 +287,7 @@ func SettingsEmailPost(ctx *context.Context, form auth.AddEmailForm) {

 // DeleteEmail response for delete user's email
 func DeleteEmail(ctx *context.Context) {
-	if err := models.DeleteEmailAddress(&models.EmailAddress{ID: ctx.QueryInt64("id")}); err != nil {
+	if err := models.DeleteEmailAddress(&models.EmailAddress{ID: ctx.QueryInt64("id"), UID: ctx.User.ID}); err != nil {
 		ctx.Handle(500, "DeleteEmail", err)
 		return
 	}
@ -422,7 +422,7 @@ func SettingsApplicationsPost(ctx *context.Context, form auth.NewAccessTokenForm

 // SettingsDeleteApplication response for delete user access token
 func SettingsDeleteApplication(ctx *context.Context) {
-	if err := models.DeleteAccessTokenByID(ctx.QueryInt64("id")); err != nil {
+	if err := models.DeleteAccessTokenByID(ctx.QueryInt64("id"), ctx.User.ID); err != nil {
 		ctx.Flash.Error("DeleteAccessTokenByID: " + err.Error())
 	} else {
 		ctx.Flash.Success(ctx.Tr("settings.delete_token_success"))