fixed vulnerabilities (#392)

This commit is contained in:
Lunny Xiao 2016-12-15 16:49:06 +08:00 committed by GitHub
parent d771e978a1
commit b4c794058a
4 changed files with 37 additions and 12 deletions

@ -88,7 +88,14 @@ func UpdateAccessToken(t *AccessToken) error {
}
// DeleteAccessTokenByID deletes access token by given ID.
func DeleteAccessTokenByID(id int64) error {
_, err := x.Id(id).Delete(new(AccessToken))
return err
func DeleteAccessTokenByID(id, userID int64) error {
cnt, err := x.Id(id).Delete(&AccessToken{
UID: userID,
})
if err != nil {
return err
} else if cnt != 1 {
return ErrAccessTokenNotExist{}
}
return nil
}

@ -5,10 +5,16 @@
package models
import (
"errors"
"fmt"
"strings"
)
var (
// ErrEmailAddressNotExist email address not exist
ErrEmailAddressNotExist = errors.New("Email address does not exist")
)
// EmailAddress is the list of all email addresses of a user. Can contain the
// primary email address, but is not obligatory.
type EmailAddress struct {
@ -139,14 +145,25 @@ func (email *EmailAddress) Activate() error {
// DeleteEmailAddress deletes an email address of given user.
func DeleteEmailAddress(email *EmailAddress) (err error) {
if email.ID > 0 {
_, err = x.Id(email.ID).Delete(new(EmailAddress))
} else {
_, err = x.
Where("email=?", email.Email).
Delete(new(EmailAddress))
var deleted int64
// ask to check UID
var address = EmailAddress{
UID: email.UID,
}
return err
if email.ID > 0 {
deleted, err = x.Id(email.ID).Delete(&address)
} else {
deleted, err = x.
Where("email=?", email.Email).
Delete(&address)
}
if err != nil {
return err
} else if deleted != 1 {
return ErrEmailAddressNotExist
}
return nil
}
// DeleteEmailAddresses deletes multiple email addresses

@ -73,6 +73,7 @@ func DeleteEmail(ctx *context.APIContext, form api.CreateEmailOption) {
for i := range form.Emails {
emails[i] = &models.EmailAddress{
Email: form.Emails[i],
UID: ctx.User.ID,
}
}

@ -287,7 +287,7 @@ func SettingsEmailPost(ctx *context.Context, form auth.AddEmailForm) {
// DeleteEmail response for delete user's email
func DeleteEmail(ctx *context.Context) {
if err := models.DeleteEmailAddress(&models.EmailAddress{ID: ctx.QueryInt64("id")}); err != nil {
if err := models.DeleteEmailAddress(&models.EmailAddress{ID: ctx.QueryInt64("id"), UID: ctx.User.ID}); err != nil {
ctx.Handle(500, "DeleteEmail", err)
return
}
@ -422,7 +422,7 @@ func SettingsApplicationsPost(ctx *context.Context, form auth.NewAccessTokenForm
// SettingsDeleteApplication response for delete user access token
func SettingsDeleteApplication(ctx *context.Context) {
if err := models.DeleteAccessTokenByID(ctx.QueryInt64("id")); err != nil {
if err := models.DeleteAccessTokenByID(ctx.QueryInt64("id"), ctx.User.ID); err != nil {
ctx.Flash.Error("DeleteAccessTokenByID: " + err.Error())
} else {
ctx.Flash.Success(ctx.Tr("settings.delete_token_success"))