fixed vulnerabilities (#392)

2 files changed, 31 insertions, 7 deletions

diff --git a/models/token.go b/models/token.go
index 03ea554fbb..6b2898a49d 100644
--- a/models/token.go
+++ b/models/token.go
@@ -88,7 +88,14 @@ func UpdateAccessToken(t *AccessToken) error {
 }
 
 // DeleteAccessTokenByID deletes access token by given ID.
-func DeleteAccessTokenByID(id int64) error {
-	_, err := x.Id(id).Delete(new(AccessToken))
-	return err
+func DeleteAccessTokenByID(id, userID int64) error {
+	cnt, err := x.Id(id).Delete(&AccessToken{
+		UID: userID,
+	})
+	if err != nil {
+		return err
+	} else if cnt != 1 {
+		return ErrAccessTokenNotExist{}
+	}
+	return nil
 }
diff --git a/models/user_mail.go b/models/user_mail.go
index 69f87c2b37..49d1bf78b2 100644
--- a/models/user_mail.go
+++ b/models/user_mail.go
@@ -5,10 +5,16 @@
 package models
 
 import (
+	"errors"
 	"fmt"
 	"strings"
 )
 
+var (
+	// ErrEmailAddressNotExist email address not exist
+	ErrEmailAddressNotExist = errors.New("Email address does not exist")
+)
+
 // EmailAddress is the list of all email addresses of a user. Can contain the
 // primary email address, but is not obligatory.
 type EmailAddress struct {
@@ -139,14 +145,25 @@ func (email *EmailAddress) Activate() error {
 
 // DeleteEmailAddress deletes an email address of given user.
 func DeleteEmailAddress(email *EmailAddress) (err error) {
+	var deleted int64
+	// ask to check UID
+	var address = EmailAddress{
+		UID: email.UID,
+	}
 	if email.ID > 0 {
-		_, err = x.Id(email.ID).Delete(new(EmailAddress))
+		deleted, err = x.Id(email.ID).Delete(&address)
 	} else {
-		_, err = x.
+		deleted, err = x.
 			Where("email=?", email.Email).
-			Delete(new(EmailAddress))
+			Delete(&address)
 	}
-	return err
+
+	if err != nil {
+		return err
+	} else if deleted != 1 {
+		return ErrEmailAddressNotExist
+	}
+	return nil
 }
 
 // DeleteEmailAddresses deletes multiple email addresses