diff --git a/src/routes/test/apps-test.js b/src/routes/test/apps-test.js index 31a93bbb1..d5160b5da 100644 --- a/src/routes/test/apps-test.js +++ b/src/routes/test/apps-test.js @@ -537,7 +537,6 @@ describe('App API', function () { it('cannot uninstall invalid app', function (done) { superagent.post(SERVER_URL + '/api/v1/apps/whatever/uninstall') - .send({ password: PASSWORD }) .query({ access_token: token }) .end(function (err, res) { expect(res.statusCode).to.equal(404); @@ -545,28 +544,8 @@ describe('App API', function () { }); }); - it('cannot uninstall app without password', function (done) { - superagent.post(SERVER_URL + '/api/v1/apps/' + APP_ID + '/uninstall') - .query({ access_token: token }) - .end(function (err, res) { - expect(res.statusCode).to.equal(400); - done(); - }); - }); - - it('cannot uninstall app with wrong password', function (done) { - superagent.post(SERVER_URL + '/api/v1/apps/' + APP_ID + '/uninstall') - .send({ password: PASSWORD+PASSWORD }) - .query({ access_token: token }) - .end(function (err, res) { - expect(res.statusCode).to.equal(403); - done(); - }); - }); - it('non admin cannot uninstall app', function (done) { superagent.post(SERVER_URL + '/api/v1/apps/' + APP_ID + '/uninstall') - .send({ password: PASSWORD }) .query({ access_token: token_1 }) .end(function (err, res) { expect(res.statusCode).to.equal(403); @@ -579,7 +558,6 @@ describe('App API', function () { var fake2 = nock(config.apiServerOrigin()).delete(function (uri) { return uri.indexOf('/api/v1/cloudronapps/') >= 0; }).reply(204, { }); superagent.post(SERVER_URL + '/api/v1/apps/' + APP_ID + '/uninstall') - .send({ password: PASSWORD }) .query({ access_token: token }) .end(function (err, res) { expect(res.statusCode).to.equal(202); @@ -1146,7 +1124,6 @@ describe('App installation', function () { } superagent.post(SERVER_URL + '/api/v1/apps/' + APP_ID + '/uninstall') - .send({ password: PASSWORD }) .query({ access_token: token }) .end(function (err, res) { expect(res.statusCode).to.equal(202); diff --git a/src/routes/test/domains-test.js b/src/routes/test/domains-test.js index b3764ed5c..24da68315 100644 --- a/src/routes/test/domains-test.js +++ b/src/routes/test/domains-test.js @@ -253,7 +253,6 @@ describe('Domains API', function () { it('cannot delete locked domain', function (done) { superagent.delete(SERVER_URL + '/api/v1/domains/' + DOMAIN_0.domain) .query({ access_token: token }) - .send({ password: PASSWORD }) .end(function (error, result) { expect(result.statusCode).to.equal(423); done(); @@ -262,31 +261,9 @@ describe('Domains API', function () { }); describe('delete', function () { - it('fails without password', function (done) { - superagent.delete(SERVER_URL + '/api/v1/domains/' + DOMAIN_0.domain) - .query({ access_token: token }) - .end(function (error, result) { - expect(result.statusCode).to.equal(400); - - done(); - }); - }); - - it('fails with wrong password', function (done) { - superagent.delete(SERVER_URL + '/api/v1/domains/' + DOMAIN_0.domain) - .query({ access_token: token }) - .send({ password: PASSWORD + PASSWORD }) - .end(function (error, result) { - expect(result.statusCode).to.equal(403); - - done(); - }); - }); - it('fails for non-existing domain', function (done) { superagent.delete(SERVER_URL + '/api/v1/domains/' + DOMAIN_0.domain + DOMAIN_0.domain) .query({ access_token: token }) - .send({ password: PASSWORD }) .end(function (error, result) { expect(result.statusCode).to.equal(404); @@ -297,7 +274,6 @@ describe('Domains API', function () { it('succeeds', function (done) { superagent.delete(SERVER_URL + '/api/v1/domains/' + DOMAIN_0.domain) .query({ access_token: token }) - .send({ password: PASSWORD }) .end(function (error, result) { expect(result.statusCode).to.equal(204); diff --git a/src/routes/test/groups-test.js b/src/routes/test/groups-test.js index bd3457523..4d21a6891 100644 --- a/src/routes/test/groups-test.js +++ b/src/routes/test/groups-test.js @@ -250,7 +250,6 @@ describe('Groups API', function () { it('can remove empty group', function (done) { superagent.del(SERVER_URL + '/api/v1/groups/' + group1Object.id) - .send({ password: PASSWORD }) .query({ access_token: token }) .end(function (error, result) { expect(result.statusCode).to.equal(204); @@ -260,7 +259,6 @@ describe('Groups API', function () { it('can remove non-empty group', function (done) { superagent.del(SERVER_URL + '/api/v1/groups/' + groupObject.id) - .send({ password: PASSWORD }) .query({ access_token: token }) .end(function (error, result) { expect(result.statusCode).to.equal(204); diff --git a/src/routes/test/mail-test.js b/src/routes/test/mail-test.js index d84cfc9e4..69de351bf 100644 --- a/src/routes/test/mail-test.js +++ b/src/routes/test/mail-test.js @@ -190,29 +190,9 @@ describe('Mail API', function () { }); }); - it('cannot delete domain without password', function (done) { - superagent.del(SERVER_URL + '/api/v1/mail/doesnotexist.com') - .query({ access_token: token }) - .end(function (err, res) { - expect(res.statusCode).to.equal(400); - done(); - }); - }); - - it('cannot delete domain with wrong password', function (done) { - superagent.del(SERVER_URL + '/api/v1/mail/doesnotexist.com') - .send({ password: PASSWORD+PASSWORD }) - .query({ access_token: token }) - .end(function (err, res) { - expect(res.statusCode).to.equal(403); - done(); - }); - }); - it('cannot delete non-existing domain', function (done) { superagent.del(SERVER_URL + '/api/v1/mail/doesnotexist.com') .query({ access_token: token }) - .send({ password: PASSWORD }) .end(function (err, res) { expect(res.statusCode).to.equal(404); done(); @@ -221,7 +201,6 @@ describe('Mail API', function () { it('cannot delete admin mail domain', function (done) { superagent.del(SERVER_URL + '/api/v1/mail/' + ADMIN_DOMAIN.domain) - .send({ password: PASSWORD }) .query({ access_token: token }) .end(function (err, res) { expect(res.statusCode).to.equal(409); @@ -231,7 +210,6 @@ describe('Mail API', function () { it('can delete admin mail domain', function (done) { superagent.del(SERVER_URL + '/api/v1/mail/' + DOMAIN_0.domain) - .send({ password: PASSWORD }) .query({ access_token: token }) .end(function (err, res) { expect(res.statusCode).to.equal(204); @@ -289,7 +267,6 @@ describe('Mail API', function () { dns.resolve = resolve; superagent.del(SERVER_URL + '/api/v1/mail/' + DOMAIN_0.domain) - .send({ password: PASSWORD }) .query({ access_token: token }) .end(function (err, res) { expect(res.statusCode).to.equal(204); @@ -539,7 +516,6 @@ describe('Mail API', function () { after(function (done) { superagent.del(SERVER_URL + '/api/v1/mail/' + DOMAIN_0.domain) - .send({ password: PASSWORD }) .query({ access_token: token }) .end(function (err, res) { expect(res.statusCode).to.equal(204); @@ -591,7 +567,6 @@ describe('Mail API', function () { after(function (done) { superagent.del(SERVER_URL + '/api/v1/mail/' + DOMAIN_0.domain) - .send({ password: PASSWORD }) .query({ access_token: token }) .end(function (err, res) { expect(res.statusCode).to.equal(204); @@ -662,7 +637,6 @@ describe('Mail API', function () { after(function (done) { superagent.del(SERVER_URL + '/api/v1/mail/' + DOMAIN_0.domain) - .send({ password: PASSWORD }) .query({ access_token: token }) .end(function (err, res) { expect(res.statusCode).to.equal(204); @@ -740,7 +714,6 @@ describe('Mail API', function () { after(function (done) { superagent.del(SERVER_URL + '/api/v1/mail/' + DOMAIN_0.domain) - .send({ password: PASSWORD }) .query({ access_token: token }) .end(function (err, res) { expect(res.statusCode).to.equal(204); @@ -846,7 +819,6 @@ describe('Mail API', function () { if (error) return done(error); superagent.del(SERVER_URL + '/api/v1/mail/' + DOMAIN_0.domain) - .send({ password: PASSWORD }) .query({ access_token: token }) .end(function (err, res) { expect(res.statusCode).to.equal(204); @@ -972,7 +944,6 @@ describe('Mail API', function () { if (error) return done(error); superagent.del(SERVER_URL + '/api/v1/mail/' + DOMAIN_0.domain) - .send({ password: PASSWORD }) .query({ access_token: token }) .end(function (err, res) { expect(res.statusCode).to.equal(204); diff --git a/src/routes/test/users-test.js b/src/routes/test/users-test.js index 6313e6aa1..8c4ec309f 100644 --- a/src/routes/test/users-test.js +++ b/src/routes/test/users-test.js @@ -529,7 +529,6 @@ describe('Users API', function () { it('remove random user fails', function (done) { superagent.del(SERVER_URL + '/api/v1/users/randomid') .query({ access_token: token }) - .send({ password: PASSWORD }) .end(function (err, res) { expect(res.statusCode).to.equal(404); done(); @@ -539,46 +538,15 @@ describe('Users API', function () { it('user removes himself is not allowed', function (done) { superagent.del(SERVER_URL + '/api/v1/users/' + user_0.id) .query({ access_token: token }) - .send({ password: PASSWORD }) .end(function (err, res) { expect(res.statusCode).to.equal(409); done(); }); }); - it('admin cannot remove normal user without giving a password', function (done) { - superagent.del(SERVER_URL + '/api/v1/users/' + user_1.id) - .query({ access_token: token }) - .end(function (err, res) { - expect(res.statusCode).to.equal(400); - done(); - }); - }); - - it('admin cannot remove normal user with empty password', function (done) { - superagent.del(SERVER_URL + '/api/v1/users/' + user_1.id) - .query({ access_token: token }) - .send({ password: '' }) - .end(function (err, res) { - expect(res.statusCode).to.equal(403); - done(); - }); - }); - - it('admin cannot remove normal user with giving wrong password', function (done) { - superagent.del(SERVER_URL + '/api/v1/users/' + user_1.id) - .query({ access_token: token }) - .send({ password: PASSWORD + PASSWORD }) - .end(function (err, res) { - expect(res.statusCode).to.equal(403); - done(); - }); - }); - it('admin removes normal user', function (done) { superagent.del(SERVER_URL + '/api/v1/users/' + user_1.id) .query({ access_token: token }) - .send({ password: PASSWORD }) .end(function (err, res) { expect(res.statusCode).to.equal(204); done(); @@ -588,7 +556,6 @@ describe('Users API', function () { it('admin removes himself should not be allowed', function (done) { superagent.del(SERVER_URL + '/api/v1/users/' + user_0.id) .query({ access_token: token }) - .send({ password: PASSWORD }) .end(function (err, res) { expect(res.statusCode).to.equal(409); done(); diff --git a/src/server.js b/src/server.js index 1ccd448a6..573488f48 100644 --- a/src/server.js +++ b/src/server.js @@ -168,7 +168,7 @@ function initializeExpressSync() { router.get ('/api/v1/users', usersReadScope, routes.users.list); router.post('/api/v1/users', usersManageScope, routes.users.create); router.get ('/api/v1/users/:userId', usersManageScope, routes.users.get); // this is manage scope because it returns non-restricted fields - router.del ('/api/v1/users/:userId', usersManageScope, routes.users.verifyPassword, routes.users.remove); + router.del ('/api/v1/users/:userId', usersManageScope, routes.users.remove); router.post('/api/v1/users/:userId', usersManageScope, routes.users.update); router.post('/api/v1/users/:userId/password', usersManageScope, routes.users.changePassword); router.put ('/api/v1/users/:userId/groups', usersManageScope, routes.users.setGroups); @@ -182,7 +182,7 @@ function initializeExpressSync() { router.get ('/api/v1/groups/:groupId', usersManageScope, routes.groups.get); router.put ('/api/v1/groups/:groupId/members', usersManageScope, routes.groups.updateMembers); router.post('/api/v1/groups/:groupId', usersManageScope, routes.groups.update); - router.del ('/api/v1/groups/:groupId', usersManageScope, routes.users.verifyPassword, routes.groups.remove); + router.del ('/api/v1/groups/:groupId', usersManageScope, routes.groups.remove); // form based login routes used by oauth2 frame router.get ('/api/v1/session/login', csrf, routes.oauth2.loginForm); @@ -225,10 +225,10 @@ function initializeExpressSync() { router.get ('/api/v1/apps/:id/icon', routes.apps.getAppIcon); router.post('/api/v1/apps/install', appsManageScope, routes.apps.installApp); - router.post('/api/v1/apps/:id/uninstall', appsManageScope, routes.users.verifyPassword, routes.apps.uninstallApp); + router.post('/api/v1/apps/:id/uninstall', appsManageScope, routes.apps.uninstallApp); router.post('/api/v1/apps/:id/configure', appsManageScope, routes.apps.configureApp); router.post('/api/v1/apps/:id/update', appsManageScope, routes.apps.updateApp); - router.post('/api/v1/apps/:id/restore', appsManageScope, routes.users.verifyPassword, routes.apps.restoreApp); + router.post('/api/v1/apps/:id/restore', appsManageScope, routes.apps.restoreApp); router.post('/api/v1/apps/:id/backup', appsManageScope, routes.apps.backupApp); router.get ('/api/v1/apps/:id/backups', appsManageScope, routes.apps.listBackups); router.post('/api/v1/apps/:id/stop', appsManageScope, routes.apps.stopApp); @@ -252,8 +252,8 @@ function initializeExpressSync() { // email routes router.get ('/api/v1/mail/:domain', mailScope, routes.mail.getDomain); router.post('/api/v1/mail', mailScope, routes.mail.addDomain); - router.get ('/api/v1/mail/:domain/stats', mailScope, routes.users.verifyPassword, routes.mail.getDomainStats); - router.del ('/api/v1/mail/:domain', mailScope, routes.users.verifyPassword, routes.mail.removeDomain); + router.get ('/api/v1/mail/:domain/stats', mailScope, routes.mail.getDomainStats); + router.del ('/api/v1/mail/:domain', mailScope, routes.mail.removeDomain); router.get ('/api/v1/mail/:domain/status', mailScope, routes.mail.getStatus); router.post('/api/v1/mail/:domain/mail_from_validation', mailScope, routes.mail.setMailFromValidation); router.post('/api/v1/mail/:domain/catch_all', mailScope, routes.mail.setCatchAllAddress); @@ -285,7 +285,7 @@ function initializeExpressSync() { router.get ('/api/v1/domains', domainsReadScope, routes.domains.getAll); router.get ('/api/v1/domains/:domain', domainsManageScope, verifyDomainLock, routes.domains.get); // this is manage scope because it returns non-restricted fields router.put ('/api/v1/domains/:domain', domainsManageScope, verifyDomainLock, routes.domains.update); - router.del ('/api/v1/domains/:domain', domainsManageScope, verifyDomainLock, routes.users.verifyPassword, routes.domains.del); + router.del ('/api/v1/domains/:domain', domainsManageScope, verifyDomainLock, routes.domains.del); // addon routes router.get ('/api/v1/services', cloudronScope, routes.services.getAll);