Fix vulnerabilities reported in #3959

author: Unknwon <u@gogs.io> 2016-12-22 19:19:56 -0500
committer: Unknwon <u@gogs.io> 2016-12-22 19:19:56 -0500
commit: 7ebe0a99169f2a143ccb20da5d1918a99ccaaf7d (patch)
tree: f5df6ce75d7651681dddd47869c87687a208c868 /routers/user/setting.go
parent: 89e93fe01e3942546b0d2cd5e031157848178916 (diff)
1 files changed, 5 insertions, 2 deletions
diff --git a/routers/user/setting.go b/routers/user/setting.go
index 35bff326..9d09646c 100644
--- a/routers/user/setting.go
+++ b/routers/user/setting.go
@@ -280,7 +280,10 @@ func SettingsEmailPost(ctx *context.Context, form auth.AddEmailForm) {
 }
 
 func DeleteEmail(ctx *context.Context) {
-	if err := models.DeleteEmailAddress(&models.EmailAddress{ID: ctx.QueryInt64("id")}); err != nil {
+	if err := models.DeleteEmailAddress(&models.EmailAddress{
+		ID:  ctx.QueryInt64("id"),
+		UID: ctx.User.ID,
+	}); err != nil {
 		ctx.Handle(500, "DeleteEmail", err)
 		return
 	}
@@ -409,7 +412,7 @@ func SettingsApplicationsPost(ctx *context.Context, form auth.NewAccessTokenForm
 }
 
 func SettingsDeleteApplication(ctx *context.Context) {
-	if err := models.DeleteAccessTokenByID(ctx.QueryInt64("id")); err != nil {
+	if err := models.DeleteAccessTokenByUserID(ctx.User.ID, ctx.QueryInt64("id")); err != nil {
 		ctx.Flash.Error("DeleteAccessTokenByID: " + err.Error())
 	} else {
 		ctx.Flash.Success(ctx.Tr("settings.delete_token_success"))
author	Unknwon <u@gogs.io>	2016-12-22 19:19:56 -0500
committer	Unknwon <u@gogs.io>	2016-12-22 19:19:56 -0500
commit	7ebe0a99169f2a143ccb20da5d1918a99ccaaf7d (patch)
tree	f5df6ce75d7651681dddd47869c87687a208c868 /routers/user/setting.go
parent	89e93fe01e3942546b0d2cd5e031157848178916 (diff)