forked from gitea/gitea
fixed vulnerabilities (#392)
This commit is contained in:
parent
d771e978a1
commit
b4c794058a
|
@ -88,7 +88,14 @@ func UpdateAccessToken(t *AccessToken) error {
|
||||||
}
|
}
|
||||||
|
|
||||||
// DeleteAccessTokenByID deletes access token by given ID.
|
// DeleteAccessTokenByID deletes access token by given ID.
|
||||||
func DeleteAccessTokenByID(id int64) error {
|
func DeleteAccessTokenByID(id, userID int64) error {
|
||||||
_, err := x.Id(id).Delete(new(AccessToken))
|
cnt, err := x.Id(id).Delete(&AccessToken{
|
||||||
|
UID: userID,
|
||||||
|
})
|
||||||
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
|
} else if cnt != 1 {
|
||||||
|
return ErrAccessTokenNotExist{}
|
||||||
|
}
|
||||||
|
return nil
|
||||||
}
|
}
|
||||||
|
|
|
@ -5,10 +5,16 @@
|
||||||
package models
|
package models
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
"errors"
|
||||||
"fmt"
|
"fmt"
|
||||||
"strings"
|
"strings"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
var (
|
||||||
|
// ErrEmailAddressNotExist email address not exist
|
||||||
|
ErrEmailAddressNotExist = errors.New("Email address does not exist")
|
||||||
|
)
|
||||||
|
|
||||||
// EmailAddress is the list of all email addresses of a user. Can contain the
|
// EmailAddress is the list of all email addresses of a user. Can contain the
|
||||||
// primary email address, but is not obligatory.
|
// primary email address, but is not obligatory.
|
||||||
type EmailAddress struct {
|
type EmailAddress struct {
|
||||||
|
@ -139,14 +145,25 @@ func (email *EmailAddress) Activate() error {
|
||||||
|
|
||||||
// DeleteEmailAddress deletes an email address of given user.
|
// DeleteEmailAddress deletes an email address of given user.
|
||||||
func DeleteEmailAddress(email *EmailAddress) (err error) {
|
func DeleteEmailAddress(email *EmailAddress) (err error) {
|
||||||
if email.ID > 0 {
|
var deleted int64
|
||||||
_, err = x.Id(email.ID).Delete(new(EmailAddress))
|
// ask to check UID
|
||||||
} else {
|
var address = EmailAddress{
|
||||||
_, err = x.
|
UID: email.UID,
|
||||||
Where("email=?", email.Email).
|
|
||||||
Delete(new(EmailAddress))
|
|
||||||
}
|
}
|
||||||
|
if email.ID > 0 {
|
||||||
|
deleted, err = x.Id(email.ID).Delete(&address)
|
||||||
|
} else {
|
||||||
|
deleted, err = x.
|
||||||
|
Where("email=?", email.Email).
|
||||||
|
Delete(&address)
|
||||||
|
}
|
||||||
|
|
||||||
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
|
} else if deleted != 1 {
|
||||||
|
return ErrEmailAddressNotExist
|
||||||
|
}
|
||||||
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// DeleteEmailAddresses deletes multiple email addresses
|
// DeleteEmailAddresses deletes multiple email addresses
|
||||||
|
|
|
@ -73,6 +73,7 @@ func DeleteEmail(ctx *context.APIContext, form api.CreateEmailOption) {
|
||||||
for i := range form.Emails {
|
for i := range form.Emails {
|
||||||
emails[i] = &models.EmailAddress{
|
emails[i] = &models.EmailAddress{
|
||||||
Email: form.Emails[i],
|
Email: form.Emails[i],
|
||||||
|
UID: ctx.User.ID,
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -287,7 +287,7 @@ func SettingsEmailPost(ctx *context.Context, form auth.AddEmailForm) {
|
||||||
|
|
||||||
// DeleteEmail response for delete user's email
|
// DeleteEmail response for delete user's email
|
||||||
func DeleteEmail(ctx *context.Context) {
|
func DeleteEmail(ctx *context.Context) {
|
||||||
if err := models.DeleteEmailAddress(&models.EmailAddress{ID: ctx.QueryInt64("id")}); err != nil {
|
if err := models.DeleteEmailAddress(&models.EmailAddress{ID: ctx.QueryInt64("id"), UID: ctx.User.ID}); err != nil {
|
||||||
ctx.Handle(500, "DeleteEmail", err)
|
ctx.Handle(500, "DeleteEmail", err)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
@ -422,7 +422,7 @@ func SettingsApplicationsPost(ctx *context.Context, form auth.NewAccessTokenForm
|
||||||
|
|
||||||
// SettingsDeleteApplication response for delete user access token
|
// SettingsDeleteApplication response for delete user access token
|
||||||
func SettingsDeleteApplication(ctx *context.Context) {
|
func SettingsDeleteApplication(ctx *context.Context) {
|
||||||
if err := models.DeleteAccessTokenByID(ctx.QueryInt64("id")); err != nil {
|
if err := models.DeleteAccessTokenByID(ctx.QueryInt64("id"), ctx.User.ID); err != nil {
|
||||||
ctx.Flash.Error("DeleteAccessTokenByID: " + err.Error())
|
ctx.Flash.Error("DeleteAccessTokenByID: " + err.Error())
|
||||||
} else {
|
} else {
|
||||||
ctx.Flash.Success(ctx.Tr("settings.delete_token_success"))
|
ctx.Flash.Success(ctx.Tr("settings.delete_token_success"))
|
||||||
|
|
Loading…
Reference in New Issue