Remove password requirement for destructive rest routes
This commit is contained in:
Johannes Zellner
@@ -537,7 +537,6 @@ describe('App API', function () {
|
||||
|
||||
it('cannot uninstall invalid app', function (done) {
|
||||
superagent.post(SERVER_URL + '/api/v1/apps/whatever/uninstall')
|
||||
.send({ password: PASSWORD })
|
||||
.query({ access_token: token })
|
||||
.end(function (err, res) {
|
||||
expect(res.statusCode).to.equal(404);
|
||||
@@ -545,28 +544,8 @@ describe('App API', function () {
|
||||
});
|
||||
});
|
||||
|
||||
it('cannot uninstall app without password', function (done) {
|
||||
superagent.post(SERVER_URL + '/api/v1/apps/' + APP_ID + '/uninstall')
|
||||
.query({ access_token: token })
|
||||
.end(function (err, res) {
|
||||
expect(res.statusCode).to.equal(400);
|
||||
done();
|
||||
});
|
||||
});
|
||||
|
||||
it('cannot uninstall app with wrong password', function (done) {
|
||||
superagent.post(SERVER_URL + '/api/v1/apps/' + APP_ID + '/uninstall')
|
||||
.send({ password: PASSWORD+PASSWORD })
|
||||
.query({ access_token: token })
|
||||
.end(function (err, res) {
|
||||
expect(res.statusCode).to.equal(403);
|
||||
done();
|
||||
});
|
||||
});
|
||||
|
||||
it('non admin cannot uninstall app', function (done) {
|
||||
superagent.post(SERVER_URL + '/api/v1/apps/' + APP_ID + '/uninstall')
|
||||
.send({ password: PASSWORD })
|
||||
.query({ access_token: token_1 })
|
||||
.end(function (err, res) {
|
||||
expect(res.statusCode).to.equal(403);
|
||||
@@ -579,7 +558,6 @@ describe('App API', function () {
|
||||
var fake2 = nock(config.apiServerOrigin()).delete(function (uri) { return uri.indexOf('/api/v1/cloudronapps/') >= 0; }).reply(204, { });
|
||||
|
||||
superagent.post(SERVER_URL + '/api/v1/apps/' + APP_ID + '/uninstall')
|
||||
.send({ password: PASSWORD })
|
||||
.query({ access_token: token })
|
||||
.end(function (err, res) {
|
||||
expect(res.statusCode).to.equal(202);
|
||||
@@ -1146,7 +1124,6 @@ describe('App installation', function () {
|
||||
}
|
||||
|
||||
superagent.post(SERVER_URL + '/api/v1/apps/' + APP_ID + '/uninstall')
|
||||
.send({ password: PASSWORD })
|
||||
.query({ access_token: token })
|
||||
.end(function (err, res) {
|
||||
expect(res.statusCode).to.equal(202);
|
||||
|
||||
@@ -253,7 +253,6 @@ describe('Domains API', function () {
|
||||
it('cannot delete locked domain', function (done) {
|
||||
superagent.delete(SERVER_URL + '/api/v1/domains/' + DOMAIN_0.domain)
|
||||
.query({ access_token: token })
|
||||
.send({ password: PASSWORD })
|
||||
.end(function (error, result) {
|
||||
expect(result.statusCode).to.equal(423);
|
||||
done();
|
||||
@@ -262,31 +261,9 @@ describe('Domains API', function () {
|
||||
});
|
||||
|
||||
describe('delete', function () {
|
||||
it('fails without password', function (done) {
|
||||
superagent.delete(SERVER_URL + '/api/v1/domains/' + DOMAIN_0.domain)
|
||||
.query({ access_token: token })
|
||||
.end(function (error, result) {
|
||||
expect(result.statusCode).to.equal(400);
|
||||
|
||||
done();
|
||||
});
|
||||
});
|
||||
|
||||
it('fails with wrong password', function (done) {
|
||||
superagent.delete(SERVER_URL + '/api/v1/domains/' + DOMAIN_0.domain)
|
||||
.query({ access_token: token })
|
||||
.send({ password: PASSWORD + PASSWORD })
|
||||
.end(function (error, result) {
|
||||
expect(result.statusCode).to.equal(403);
|
||||
|
||||
done();
|
||||
});
|
||||
});
|
||||
|
||||
it('fails for non-existing domain', function (done) {
|
||||
superagent.delete(SERVER_URL + '/api/v1/domains/' + DOMAIN_0.domain + DOMAIN_0.domain)
|
||||
.query({ access_token: token })
|
||||
.send({ password: PASSWORD })
|
||||
.end(function (error, result) {
|
||||
expect(result.statusCode).to.equal(404);
|
||||
|
||||
@@ -297,7 +274,6 @@ describe('Domains API', function () {
|
||||
it('succeeds', function (done) {
|
||||
superagent.delete(SERVER_URL + '/api/v1/domains/' + DOMAIN_0.domain)
|
||||
.query({ access_token: token })
|
||||
.send({ password: PASSWORD })
|
||||
.end(function (error, result) {
|
||||
expect(result.statusCode).to.equal(204);
|
||||
|
||||
|
||||
@@ -250,7 +250,6 @@ describe('Groups API', function () {
|
||||
|
||||
it('can remove empty group', function (done) {
|
||||
superagent.del(SERVER_URL + '/api/v1/groups/' + group1Object.id)
|
||||
.send({ password: PASSWORD })
|
||||
.query({ access_token: token })
|
||||
.end(function (error, result) {
|
||||
expect(result.statusCode).to.equal(204);
|
||||
@@ -260,7 +259,6 @@ describe('Groups API', function () {
|
||||
|
||||
it('can remove non-empty group', function (done) {
|
||||
superagent.del(SERVER_URL + '/api/v1/groups/' + groupObject.id)
|
||||
.send({ password: PASSWORD })
|
||||
.query({ access_token: token })
|
||||
.end(function (error, result) {
|
||||
expect(result.statusCode).to.equal(204);
|
||||
|
||||
@@ -190,29 +190,9 @@ describe('Mail API', function () {
|
||||
});
|
||||
});
|
||||
|
||||
it('cannot delete domain without password', function (done) {
|
||||
superagent.del(SERVER_URL + '/api/v1/mail/doesnotexist.com')
|
||||
.query({ access_token: token })
|
||||
.end(function (err, res) {
|
||||
expect(res.statusCode).to.equal(400);
|
||||
done();
|
||||
});
|
||||
});
|
||||
|
||||
it('cannot delete domain with wrong password', function (done) {
|
||||
superagent.del(SERVER_URL + '/api/v1/mail/doesnotexist.com')
|
||||
.send({ password: PASSWORD+PASSWORD })
|
||||
.query({ access_token: token })
|
||||
.end(function (err, res) {
|
||||
expect(res.statusCode).to.equal(403);
|
||||
done();
|
||||
});
|
||||
});
|
||||
|
||||
it('cannot delete non-existing domain', function (done) {
|
||||
superagent.del(SERVER_URL + '/api/v1/mail/doesnotexist.com')
|
||||
.query({ access_token: token })
|
||||
.send({ password: PASSWORD })
|
||||
.end(function (err, res) {
|
||||
expect(res.statusCode).to.equal(404);
|
||||
done();
|
||||
@@ -221,7 +201,6 @@ describe('Mail API', function () {
|
||||
|
||||
it('cannot delete admin mail domain', function (done) {
|
||||
superagent.del(SERVER_URL + '/api/v1/mail/' + ADMIN_DOMAIN.domain)
|
||||
.send({ password: PASSWORD })
|
||||
.query({ access_token: token })
|
||||
.end(function (err, res) {
|
||||
expect(res.statusCode).to.equal(409);
|
||||
@@ -231,7 +210,6 @@ describe('Mail API', function () {
|
||||
|
||||
it('can delete admin mail domain', function (done) {
|
||||
superagent.del(SERVER_URL + '/api/v1/mail/' + DOMAIN_0.domain)
|
||||
.send({ password: PASSWORD })
|
||||
.query({ access_token: token })
|
||||
.end(function (err, res) {
|
||||
expect(res.statusCode).to.equal(204);
|
||||
@@ -289,7 +267,6 @@ describe('Mail API', function () {
|
||||
dns.resolve = resolve;
|
||||
|
||||
superagent.del(SERVER_URL + '/api/v1/mail/' + DOMAIN_0.domain)
|
||||
.send({ password: PASSWORD })
|
||||
.query({ access_token: token })
|
||||
.end(function (err, res) {
|
||||
expect(res.statusCode).to.equal(204);
|
||||
@@ -539,7 +516,6 @@ describe('Mail API', function () {
|
||||
|
||||
after(function (done) {
|
||||
superagent.del(SERVER_URL + '/api/v1/mail/' + DOMAIN_0.domain)
|
||||
.send({ password: PASSWORD })
|
||||
.query({ access_token: token })
|
||||
.end(function (err, res) {
|
||||
expect(res.statusCode).to.equal(204);
|
||||
@@ -591,7 +567,6 @@ describe('Mail API', function () {
|
||||
|
||||
after(function (done) {
|
||||
superagent.del(SERVER_URL + '/api/v1/mail/' + DOMAIN_0.domain)
|
||||
.send({ password: PASSWORD })
|
||||
.query({ access_token: token })
|
||||
.end(function (err, res) {
|
||||
expect(res.statusCode).to.equal(204);
|
||||
@@ -662,7 +637,6 @@ describe('Mail API', function () {
|
||||
|
||||
after(function (done) {
|
||||
superagent.del(SERVER_URL + '/api/v1/mail/' + DOMAIN_0.domain)
|
||||
.send({ password: PASSWORD })
|
||||
.query({ access_token: token })
|
||||
.end(function (err, res) {
|
||||
expect(res.statusCode).to.equal(204);
|
||||
@@ -740,7 +714,6 @@ describe('Mail API', function () {
|
||||
|
||||
after(function (done) {
|
||||
superagent.del(SERVER_URL + '/api/v1/mail/' + DOMAIN_0.domain)
|
||||
.send({ password: PASSWORD })
|
||||
.query({ access_token: token })
|
||||
.end(function (err, res) {
|
||||
expect(res.statusCode).to.equal(204);
|
||||
@@ -846,7 +819,6 @@ describe('Mail API', function () {
|
||||
if (error) return done(error);
|
||||
|
||||
superagent.del(SERVER_URL + '/api/v1/mail/' + DOMAIN_0.domain)
|
||||
.send({ password: PASSWORD })
|
||||
.query({ access_token: token })
|
||||
.end(function (err, res) {
|
||||
expect(res.statusCode).to.equal(204);
|
||||
@@ -972,7 +944,6 @@ describe('Mail API', function () {
|
||||
if (error) return done(error);
|
||||
|
||||
superagent.del(SERVER_URL + '/api/v1/mail/' + DOMAIN_0.domain)
|
||||
.send({ password: PASSWORD })
|
||||
.query({ access_token: token })
|
||||
.end(function (err, res) {
|
||||
expect(res.statusCode).to.equal(204);
|
||||
|
||||
@@ -529,7 +529,6 @@ describe('Users API', function () {
|
||||
it('remove random user fails', function (done) {
|
||||
superagent.del(SERVER_URL + '/api/v1/users/randomid')
|
||||
.query({ access_token: token })
|
||||
.send({ password: PASSWORD })
|
||||
.end(function (err, res) {
|
||||
expect(res.statusCode).to.equal(404);
|
||||
done();
|
||||
@@ -539,46 +538,15 @@ describe('Users API', function () {
|
||||
it('user removes himself is not allowed', function (done) {
|
||||
superagent.del(SERVER_URL + '/api/v1/users/' + user_0.id)
|
||||
.query({ access_token: token })
|
||||
.send({ password: PASSWORD })
|
||||
.end(function (err, res) {
|
||||
expect(res.statusCode).to.equal(409);
|
||||
done();
|
||||
});
|
||||
});
|
||||
|
||||
it('admin cannot remove normal user without giving a password', function (done) {
|
||||
superagent.del(SERVER_URL + '/api/v1/users/' + user_1.id)
|
||||
.query({ access_token: token })
|
||||
.end(function (err, res) {
|
||||
expect(res.statusCode).to.equal(400);
|
||||
done();
|
||||
});
|
||||
});
|
||||
|
||||
it('admin cannot remove normal user with empty password', function (done) {
|
||||
superagent.del(SERVER_URL + '/api/v1/users/' + user_1.id)
|
||||
.query({ access_token: token })
|
||||
.send({ password: '' })
|
||||
.end(function (err, res) {
|
||||
expect(res.statusCode).to.equal(403);
|
||||
done();
|
||||
});
|
||||
});
|
||||
|
||||
it('admin cannot remove normal user with giving wrong password', function (done) {
|
||||
superagent.del(SERVER_URL + '/api/v1/users/' + user_1.id)
|
||||
.query({ access_token: token })
|
||||
.send({ password: PASSWORD + PASSWORD })
|
||||
.end(function (err, res) {
|
||||
expect(res.statusCode).to.equal(403);
|
||||
done();
|
||||
});
|
||||
});
|
||||
|
||||
it('admin removes normal user', function (done) {
|
||||
superagent.del(SERVER_URL + '/api/v1/users/' + user_1.id)
|
||||
.query({ access_token: token })
|
||||
.send({ password: PASSWORD })
|
||||
.end(function (err, res) {
|
||||
expect(res.statusCode).to.equal(204);
|
||||
done();
|
||||
@@ -588,7 +556,6 @@ describe('Users API', function () {
|
||||
it('admin removes himself should not be allowed', function (done) {
|
||||
superagent.del(SERVER_URL + '/api/v1/users/' + user_0.id)
|
||||
.query({ access_token: token })
|
||||
.send({ password: PASSWORD })
|
||||
.end(function (err, res) {
|
||||
expect(res.statusCode).to.equal(409);
|
||||
done();
|
||||
|
||||
Reference in New Issue
Block a user