fixed vulnerabilities (#392)
This commit is contained in:
parent
d771e978a1
commit
b4c794058a
4 changed files with 37 additions and 12 deletions
|
@ -88,7 +88,14 @@ func UpdateAccessToken(t *AccessToken) error {
|
|||
}
|
||||
|
||||
// DeleteAccessTokenByID deletes access token by given ID.
|
||||
func DeleteAccessTokenByID(id int64) error {
|
||||
_, err := x.Id(id).Delete(new(AccessToken))
|
||||
return err
|
||||
func DeleteAccessTokenByID(id, userID int64) error {
|
||||
cnt, err := x.Id(id).Delete(&AccessToken{
|
||||
UID: userID,
|
||||
})
|
||||
if err != nil {
|
||||
return err
|
||||
} else if cnt != 1 {
|
||||
return ErrAccessTokenNotExist{}
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
|
|
@ -5,10 +5,16 @@
|
|||
package models
|
||||
|
||||
import (
|
||||
"errors"
|
||||
"fmt"
|
||||
"strings"
|
||||
)
|
||||
|
||||
var (
|
||||
// ErrEmailAddressNotExist email address not exist
|
||||
ErrEmailAddressNotExist = errors.New("Email address does not exist")
|
||||
)
|
||||
|
||||
// EmailAddress is the list of all email addresses of a user. Can contain the
|
||||
// primary email address, but is not obligatory.
|
||||
type EmailAddress struct {
|
||||
|
@ -139,14 +145,25 @@ func (email *EmailAddress) Activate() error {
|
|||
|
||||
// DeleteEmailAddress deletes an email address of given user.
|
||||
func DeleteEmailAddress(email *EmailAddress) (err error) {
|
||||
if email.ID > 0 {
|
||||
_, err = x.Id(email.ID).Delete(new(EmailAddress))
|
||||
} else {
|
||||
_, err = x.
|
||||
Where("email=?", email.Email).
|
||||
Delete(new(EmailAddress))
|
||||
var deleted int64
|
||||
// ask to check UID
|
||||
var address = EmailAddress{
|
||||
UID: email.UID,
|
||||
}
|
||||
return err
|
||||
if email.ID > 0 {
|
||||
deleted, err = x.Id(email.ID).Delete(&address)
|
||||
} else {
|
||||
deleted, err = x.
|
||||
Where("email=?", email.Email).
|
||||
Delete(&address)
|
||||
}
|
||||
|
||||
if err != nil {
|
||||
return err
|
||||
} else if deleted != 1 {
|
||||
return ErrEmailAddressNotExist
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// DeleteEmailAddresses deletes multiple email addresses
|
||||
|
|
|
@ -73,6 +73,7 @@ func DeleteEmail(ctx *context.APIContext, form api.CreateEmailOption) {
|
|||
for i := range form.Emails {
|
||||
emails[i] = &models.EmailAddress{
|
||||
Email: form.Emails[i],
|
||||
UID: ctx.User.ID,
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
@ -287,7 +287,7 @@ func SettingsEmailPost(ctx *context.Context, form auth.AddEmailForm) {
|
|||
|
||||
// DeleteEmail response for delete user's email
|
||||
func DeleteEmail(ctx *context.Context) {
|
||||
if err := models.DeleteEmailAddress(&models.EmailAddress{ID: ctx.QueryInt64("id")}); err != nil {
|
||||
if err := models.DeleteEmailAddress(&models.EmailAddress{ID: ctx.QueryInt64("id"), UID: ctx.User.ID}); err != nil {
|
||||
ctx.Handle(500, "DeleteEmail", err)
|
||||
return
|
||||
}
|
||||
|
@ -422,7 +422,7 @@ func SettingsApplicationsPost(ctx *context.Context, form auth.NewAccessTokenForm
|
|||
|
||||
// SettingsDeleteApplication response for delete user access token
|
||||
func SettingsDeleteApplication(ctx *context.Context) {
|
||||
if err := models.DeleteAccessTokenByID(ctx.QueryInt64("id")); err != nil {
|
||||
if err := models.DeleteAccessTokenByID(ctx.QueryInt64("id"), ctx.User.ID); err != nil {
|
||||
ctx.Flash.Error("DeleteAccessTokenByID: " + err.Error())
|
||||
} else {
|
||||
ctx.Flash.Success(ctx.Tr("settings.delete_token_success"))
|
||||
|
|
Reference in a new issue