fixed vulnerabilities (#392)

This commit is contained in:
Lunny Xiao 2016-12-15 16:49:06 +08:00 committed by GitHub
parent d771e978a1
commit b4c794058a
4 changed files with 37 additions and 12 deletions

View file

@ -88,7 +88,14 @@ func UpdateAccessToken(t *AccessToken) error {
} }
// DeleteAccessTokenByID deletes access token by given ID. // DeleteAccessTokenByID deletes access token by given ID.
func DeleteAccessTokenByID(id int64) error { func DeleteAccessTokenByID(id, userID int64) error {
_, err := x.Id(id).Delete(new(AccessToken)) cnt, err := x.Id(id).Delete(&AccessToken{
return err UID: userID,
})
if err != nil {
return err
} else if cnt != 1 {
return ErrAccessTokenNotExist{}
}
return nil
} }

View file

@ -5,10 +5,16 @@
package models package models
import ( import (
"errors"
"fmt" "fmt"
"strings" "strings"
) )
var (
// ErrEmailAddressNotExist email address not exist
ErrEmailAddressNotExist = errors.New("Email address does not exist")
)
// EmailAddress is the list of all email addresses of a user. Can contain the // EmailAddress is the list of all email addresses of a user. Can contain the
// primary email address, but is not obligatory. // primary email address, but is not obligatory.
type EmailAddress struct { type EmailAddress struct {
@ -139,14 +145,25 @@ func (email *EmailAddress) Activate() error {
// DeleteEmailAddress deletes an email address of given user. // DeleteEmailAddress deletes an email address of given user.
func DeleteEmailAddress(email *EmailAddress) (err error) { func DeleteEmailAddress(email *EmailAddress) (err error) {
if email.ID > 0 { var deleted int64
_, err = x.Id(email.ID).Delete(new(EmailAddress)) // ask to check UID
} else { var address = EmailAddress{
_, err = x. UID: email.UID,
Where("email=?", email.Email).
Delete(new(EmailAddress))
} }
return err if email.ID > 0 {
deleted, err = x.Id(email.ID).Delete(&address)
} else {
deleted, err = x.
Where("email=?", email.Email).
Delete(&address)
}
if err != nil {
return err
} else if deleted != 1 {
return ErrEmailAddressNotExist
}
return nil
} }
// DeleteEmailAddresses deletes multiple email addresses // DeleteEmailAddresses deletes multiple email addresses

View file

@ -73,6 +73,7 @@ func DeleteEmail(ctx *context.APIContext, form api.CreateEmailOption) {
for i := range form.Emails { for i := range form.Emails {
emails[i] = &models.EmailAddress{ emails[i] = &models.EmailAddress{
Email: form.Emails[i], Email: form.Emails[i],
UID: ctx.User.ID,
} }
} }

View file

@ -287,7 +287,7 @@ func SettingsEmailPost(ctx *context.Context, form auth.AddEmailForm) {
// DeleteEmail response for delete user's email // DeleteEmail response for delete user's email
func DeleteEmail(ctx *context.Context) { func DeleteEmail(ctx *context.Context) {
if err := models.DeleteEmailAddress(&models.EmailAddress{ID: ctx.QueryInt64("id")}); err != nil { if err := models.DeleteEmailAddress(&models.EmailAddress{ID: ctx.QueryInt64("id"), UID: ctx.User.ID}); err != nil {
ctx.Handle(500, "DeleteEmail", err) ctx.Handle(500, "DeleteEmail", err)
return return
} }
@ -422,7 +422,7 @@ func SettingsApplicationsPost(ctx *context.Context, form auth.NewAccessTokenForm
// SettingsDeleteApplication response for delete user access token // SettingsDeleteApplication response for delete user access token
func SettingsDeleteApplication(ctx *context.Context) { func SettingsDeleteApplication(ctx *context.Context) {
if err := models.DeleteAccessTokenByID(ctx.QueryInt64("id")); err != nil { if err := models.DeleteAccessTokenByID(ctx.QueryInt64("id"), ctx.User.ID); err != nil {
ctx.Flash.Error("DeleteAccessTokenByID: " + err.Error()) ctx.Flash.Error("DeleteAccessTokenByID: " + err.Error())
} else { } else {
ctx.Flash.Success(ctx.Tr("settings.delete_token_success")) ctx.Flash.Success(ctx.Tr("settings.delete_token_success"))