From ca3b6e542abef4613ebba6722e2d181867c7e456 Mon Sep 17 00:00:00 2001
From: Johannes Zellner <johannes@cloudron.io>
Date: Tue, 7 Nov 2017 00:49:23 +0100
Subject: [PATCH] Require password for domain deletion route

---
 src/server.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/server.js b/src/server.js
index 10eb7ebd2..3e4eb8893 100644
--- a/src/server.js
+++ b/src/server.js
@@ -240,7 +240,7 @@ function initializeExpressSync() {
     router.get ('/api/v1/domains', settingsScope, routes.user.requireAdmin, routes.domains.getAll);
     router.get ('/api/v1/domains/:domain', settingsScope, routes.user.requireAdmin, routes.domains.get);
     router.put ('/api/v1/domains/:domain', settingsScope, routes.user.requireAdmin, routes.domains.update);
-    router.del ('/api/v1/domains/:domain', settingsScope, routes.user.requireAdmin, routes.domains.del);
+    router.del ('/api/v1/domains/:domain', settingsScope, routes.user.requireAdmin, routes.user.verifyPassword, routes.domains.del);
 
     // disable server socket "idle" timeout. we use the timeout middleware to handle timeouts on a route level
     // we rely on nginx for timeouts on the TCP level (see client_header_timeout)