fixed vulnerabilities (#392)

Author: lunny

models/token.go

@@ -88,7 +88,14 @@ func UpdateAccessToken(t *AccessToken) error {
 }
 
 // DeleteAccessTokenByID deletes access token by given ID.
-func DeleteAccessTokenByID(id int64) error {
-	_, err := x.Id(id).Delete(new(AccessToken))
-	return err
+func DeleteAccessTokenByID(id, userID int64) error {
+	cnt, err := x.Id(id).Delete(&AccessToken{
+		UID: userID,
+	})
+	if err != nil {
+		return err
+	} else if cnt != 1 {
+		return ErrAccessTokenNotExist{}
+	}
+	return nil
 }

models/user_mail.go

@@ -5,10 +5,16 @@
 package models
 
 import (
+	"errors"
 	"fmt"
 	"strings"
 )
 
+var (
+	// ErrEmailAddressNotExist email address not exist
+	ErrEmailAddressNotExist = errors.New("Email address does not exist")
+)
+
 // EmailAddress is the list of all email addresses of a user. Can contain the
 // primary email address, but is not obligatory.
 type EmailAddress struct {
@@ -139,14 +145,25 @@ func (email *EmailAddress) Activate() error {
 
 // DeleteEmailAddress deletes an email address of given user.
 func DeleteEmailAddress(email *EmailAddress) (err error) {
+	var deleted int64
+	// ask to check UID
+	var address = EmailAddress{
+		UID: email.UID,
+	}
 	if email.ID > 0 {
-		_, err = x.Id(email.ID).Delete(new(EmailAddress))
+		deleted, err = x.Id(email.ID).Delete(&address)
 	} else {
-		_, err = x.
+		deleted, err = x.
 			Where("email=?", email.Email).
-			Delete(new(EmailAddress))
+			Delete(&address)
 	}
-	return err
+
+	if err != nil {
+		return err
+	} else if deleted != 1 {
+		return ErrEmailAddressNotExist
+	}
+	return nil
 }
 
 // DeleteEmailAddresses deletes multiple email addresses

routers/api/v1/user/email.go

@@ -73,6 +73,7 @@ func DeleteEmail(ctx *context.APIContext, form api.CreateEmailOption) {
 	for i := range form.Emails {
 		emails[i] = &models.EmailAddress{
 			Email: form.Emails[i],
+			UID:   ctx.User.ID,
 		}
 	}
 

routers/user/setting.go

@@ -287,7 +287,7 @@ func SettingsEmailPost(ctx *context.Context, form auth.AddEmailForm) {
 
 // DeleteEmail response for delete user's email
 func DeleteEmail(ctx *context.Context) {
-	if err := models.DeleteEmailAddress(&models.EmailAddress{ID: ctx.QueryInt64("id")}); err != nil {
+	if err := models.DeleteEmailAddress(&models.EmailAddress{ID: ctx.QueryInt64("id"), UID: ctx.User.ID}); err != nil {
 		ctx.Handle(500, "DeleteEmail", err)
 		return
 	}
@@ -422,7 +422,7 @@ func SettingsApplicationsPost(ctx *context.Context, form auth.NewAccessTokenForm
 
 // SettingsDeleteApplication response for delete user access token
 func SettingsDeleteApplication(ctx *context.Context) {
-	if err := models.DeleteAccessTokenByID(ctx.QueryInt64("id")); err != nil {
+	if err := models.DeleteAccessTokenByID(ctx.QueryInt64("id"), ctx.User.ID); err != nil {
 		ctx.Flash.Error("DeleteAccessTokenByID: " + err.Error())
 	} else {
 		ctx.Flash.Success(ctx.Tr("settings.delete_token_success"))