From f9e300f94207af1078634aaff0c1c9c40920fe6c Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Thu, 15 Dec 2016 09:20:11 +0800
Subject: [PATCH] fixed vulnerabilities

---
 models/token.go              | 13 ++++++++++---
 models/user_mail.go          | 25 +++++++++++++++++++++----
 routers/api/v1/user/email.go |  1 +
 routers/user/setting.go      |  4 ++--
 4 files changed, 34 insertions(+), 9 deletions(-)

diff --git a/models/token.go b/models/token.go
index 03ea554fbb2d6..6b2898a49d4e8 100644
--- a/models/token.go
+++ b/models/token.go
@@ -88,7 +88,14 @@ func UpdateAccessToken(t *AccessToken) error {
 }
 
 // DeleteAccessTokenByID deletes access token by given ID.
-func DeleteAccessTokenByID(id int64) error {
-	_, err := x.Id(id).Delete(new(AccessToken))
-	return err
+func DeleteAccessTokenByID(id, userID int64) error {
+	cnt, err := x.Id(id).Delete(&AccessToken{
+		UID: userID,
+	})
+	if err != nil {
+		return err
+	} else if cnt != 1 {
+		return ErrAccessTokenNotExist{}
+	}
+	return nil
 }
diff --git a/models/user_mail.go b/models/user_mail.go
index 69f87c2b3727d..49d1bf78b2b38 100644
--- a/models/user_mail.go
+++ b/models/user_mail.go
@@ -5,10 +5,16 @@
 package models
 
 import (
+	"errors"
 	"fmt"
 	"strings"
 )
 
+var (
+	// ErrEmailAddressNotExist email address not exist
+	ErrEmailAddressNotExist = errors.New("Email address does not exist")
+)
+
 // EmailAddress is the list of all email addresses of a user. Can contain the
 // primary email address, but is not obligatory.
 type EmailAddress struct {
@@ -139,14 +145,25 @@ func (email *EmailAddress) Activate() error {
 
 // DeleteEmailAddress deletes an email address of given user.
 func DeleteEmailAddress(email *EmailAddress) (err error) {
+	var deleted int64
+	// ask to check UID
+	var address = EmailAddress{
+		UID: email.UID,
+	}
 	if email.ID > 0 {
-		_, err = x.Id(email.ID).Delete(new(EmailAddress))
+		deleted, err = x.Id(email.ID).Delete(&address)
 	} else {
-		_, err = x.
+		deleted, err = x.
 			Where("email=?", email.Email).
-			Delete(new(EmailAddress))
+			Delete(&address)
 	}
-	return err
+
+	if err != nil {
+		return err
+	} else if deleted != 1 {
+		return ErrEmailAddressNotExist
+	}
+	return nil
 }
 
 // DeleteEmailAddresses deletes multiple email addresses
diff --git a/routers/api/v1/user/email.go b/routers/api/v1/user/email.go
index f42fc11cf65ae..0d83aa38c1185 100644
--- a/routers/api/v1/user/email.go
+++ b/routers/api/v1/user/email.go
@@ -73,6 +73,7 @@ func DeleteEmail(ctx *context.APIContext, form api.CreateEmailOption) {
 	for i := range form.Emails {
 		emails[i] = &models.EmailAddress{
 			Email: form.Emails[i],
+			UID:   ctx.User.ID,
 		}
 	}
 
diff --git a/routers/user/setting.go b/routers/user/setting.go
index 1d405fba375ea..bbb4d99c02388 100644
--- a/routers/user/setting.go
+++ b/routers/user/setting.go
@@ -287,7 +287,7 @@ func SettingsEmailPost(ctx *context.Context, form auth.AddEmailForm) {
 
 // DeleteEmail response for delete user's email
 func DeleteEmail(ctx *context.Context) {
-	if err := models.DeleteEmailAddress(&models.EmailAddress{ID: ctx.QueryInt64("id")}); err != nil {
+	if err := models.DeleteEmailAddress(&models.EmailAddress{ID: ctx.QueryInt64("id"), UID: ctx.User.ID}); err != nil {
 		ctx.Handle(500, "DeleteEmail", err)
 		return
 	}
@@ -422,7 +422,7 @@ func SettingsApplicationsPost(ctx *context.Context, form auth.NewAccessTokenForm
 
 // SettingsDeleteApplication response for delete user access token
 func SettingsDeleteApplication(ctx *context.Context) {
-	if err := models.DeleteAccessTokenByID(ctx.QueryInt64("id")); err != nil {
+	if err := models.DeleteAccessTokenByID(ctx.QueryInt64("id"), ctx.User.ID); err != nil {
 		ctx.Flash.Error("DeleteAccessTokenByID: " + err.Error())
 	} else {
 		ctx.Flash.Success(ctx.Tr("settings.delete_token_success"))