fixed vulnerabilities (#392)

models/token.go

@@ -88,7 +88,14 @@ func UpdateAccessToken(t *AccessToken) error {
 }
 
 // DeleteAccessTokenByID deletes access token by given ID.
-func DeleteAccessTokenByID(id int64) error {
-	_, err := x.Id(id).Delete(new(AccessToken))
-	return err
+func DeleteAccessTokenByID(id, userID int64) error {
+	cnt, err := x.Id(id).Delete(&AccessToken{
+		UID: userID,
+	})
+	if err != nil {
+		return err
+	} else if cnt != 1 {
+		return ErrAccessTokenNotExist{}
+	}
+	return nil
 }

models/user_mail.go

@@ -5,10 +5,16 @@
 package models
 
 import (
+	"errors"
 	"fmt"
 	"strings"
 )
 
+var (
+	// ErrEmailAddressNotExist email address not exist
+	ErrEmailAddressNotExist = errors.New("Email address does not exist")
+)
+
 // EmailAddress is the list of all email addresses of a user. Can contain the
 // primary email address, but is not obligatory.
 type EmailAddress struct {
@@ -139,14 +145,25 @@ func (email *EmailAddress) Activate() error {
 
 // DeleteEmailAddress deletes an email address of given user.
 func DeleteEmailAddress(email *EmailAddress) (err error) {
-	if email.ID > 0 {
-		_, err = x.Id(email.ID).Delete(new(EmailAddress))
-	} else {
-		_, err = x.
-			Where("email=?", email.Email).
-			Delete(new(EmailAddress))
+	var deleted int64
+	// ask to check UID
+	var address = EmailAddress{
+		UID: email.UID,
 	}
-	return err
+	if email.ID > 0 {
+		deleted, err = x.Id(email.ID).Delete(&address)
+	} else {
+		deleted, err = x.
+			Where("email=?", email.Email).
+			Delete(&address)
+	}
+
+	if err != nil {
+		return err
+	} else if deleted != 1 {
+		return ErrEmailAddressNotExist
+	}
+	return nil
 }
 
 // DeleteEmailAddresses deletes multiple email addresses