cloudflare: Fix crash when there is an external error updating dns records

The initial idea was to put an owner flag but this means that the
owner will be visible inside apps.

CHANGES

@@ -1373,3 +1373,7 @@
 * Fix alternate domain certificate renewal
 * API token can now have a name
 
+[3.1.3]
+* Prevent dashboard domain from being deleted
+* Add alternateDomains to app install route
+

baseimage/initializeBaseUbuntuImage.sh

@@ -14,10 +14,10 @@ function die {
 
 export DEBIAN_FRONTEND=noninteractive
 
-# hold grub since updating it breaks on some VPS providers
+# hold grub since updating it breaks on some VPS providers. also, dist-upgrade will trigger it
 apt-mark hold grub* >/dev/null
 apt-get -o Dpkg::Options::="--force-confdef" update -y
-apt-get -o Dpkg::Options::="--force-confdef" dist-upgrade -y
+apt-get -o Dpkg::Options::="--force-confdef" upgrade -y
 apt-mark unhold grub* >/dev/null
 
 echo "==> Installing required packages"
@@ -75,13 +75,11 @@ if [[ "${storage_driver}" != "overlay2" ]]; then
     exit 1
 fi
 
-# temporarily disable this for some providers which have issues updating grub unattended
-if [[ "${arg_provider}" != "galaxygate" ]]; then
-    echo "==> Enable memory accounting"
-    apt-get -y install grub2
-    sed -e 's/^GRUB_CMDLINE_LINUX="\(.*\)"$/GRUB_CMDLINE_LINUX="\1 cgroup_enable=memory swapaccount=1 panic_on_oops=1 panic=5"/' -i /etc/default/grub
-    update-grub
-fi
+# do not upgrade grub because it might prompt user and break this script
+echo "==> Enable memory accounting"
+apt-get -y --no-upgrade install grub2-common
+sed -e 's/^GRUB_CMDLINE_LINUX="\(.*\)"$/GRUB_CMDLINE_LINUX="\1 cgroup_enable=memory swapaccount=1 panic_on_oops=1 panic=5"/' -i /etc/default/grub
+update-grub
 
 echo "==> Downloading docker images"
 if [ ! -f "${arg_infraversionpath}/infra_version.js" ]; then

scripts/cloudron-setup

@@ -143,12 +143,12 @@ echo ""
 if [[ "${initBaseImage}" == "true" ]]; then
     echo "=> Updating apt and installing script dependencies"
     if ! apt-get update &>> "${LOG_FILE}"; then
-        echo "Could not update package repositories"
+        echo "Could not update package repositories. See ${LOG_FILE}"
         exit 1
     fi
 
     if ! apt-get install curl python3 ubuntu-standard -y &>> "${LOG_FILE}"; then
-        echo "Could not install setup dependencies (curl)"
+        echo "Could not install setup dependencies (curl). See ${LOG_FILE}"
         exit 1
     fi
 fi

src/apps.js

@@ -204,6 +204,13 @@ function postProcess(app) {
     app.portBindings = result;
 }
 
+function addSpacesSuffix(location, user) {
+    if (user.admin || !config.isSpacesEnabled()) return location;
+
+    const spacesSuffix = user.username.replace(/\./g, '-');
+    return location === '' ? spacesSuffix : `${location}-${spacesSuffix}`;
+}
+
 function validateAccessRestriction(accessRestriction) {
     assert.strictEqual(typeof accessRestriction, 'object');
 
@@ -487,8 +494,9 @@ function mailboxNameForLocation(location, manifest) {
     return (location ? location : manifest.title.toLowerCase().replace(/[^a-zA-Z0-9]/g, '')) + '.app';
 }
 
-function install(data, auditSource, callback) {
+function install(data, user, auditSource, callback) {
     assert(data && typeof data === 'object');
+    assert(user && typeof user === 'object');
     assert.strictEqual(typeof auditSource, 'object');
     assert.strictEqual(typeof callback, 'function');
 
@@ -507,7 +515,8 @@ function install(data, auditSource, callback) {
         enableBackup = 'enableBackup' in data ? data.enableBackup : true,
         backupId = data.backupId || null,
         backupFormat = data.backupFormat || 'tgz',
-        ownerId = data.ownerId;
+        ownerId = data.ownerId,
+        alternateDomains = data.alternateDomains || [];
 
     assert(data.appStoreId || data.manifest); // atleast one of them is required
 
@@ -559,6 +568,9 @@ function install(data, auditSource, callback) {
             if (error && error.reason === DomainsError.NOT_FOUND) return callback(new AppsError(AppsError.NOT_FOUND, 'No such domain'));
             if (error) return callback(new AppsError(AppsError.INTERNAL_ERROR, 'Could not get domain info:' + error.message));
 
+            location = addSpacesSuffix(location, user);
+            alternateDomains.forEach(function (ad) { ad.subdomain = addSpacesSuffix(ad.subdomain, user); }); // TODO: validate these
+
             error = domains.validateHostname(location, domainObject);
             if (error) return callback(new AppsError(AppsError.BAD_FIELD, 'Bad location: ' + error.message));
 
@@ -579,7 +591,8 @@ function install(data, auditSource, callback) {
                 mailboxName: mailboxNameForLocation(location, manifest),
                 restoreConfig: backupId ? { backupId: backupId, backupFormat: backupFormat } : null,
                 enableBackup: enableBackup,
-                robotsTxt: robotsTxt
+                robotsTxt: robotsTxt,
+                alternateDomains: alternateDomains
             };
 
             appdb.add(appId, appStoreId, manifest, location, domain, ownerId, translatePortBindings(portBindings, manifest), data, function (error) {
@@ -626,9 +639,10 @@ function install(data, auditSource, callback) {
     });
 }
 
-function configure(appId, data, auditSource, callback) {
+function configure(appId, data, user, auditSource, callback) {
     assert.strictEqual(typeof appId, 'string');
     assert(data && typeof data === 'object');
+    assert(user && typeof user === 'object');
     assert.strictEqual(typeof auditSource, 'object');
     assert.strictEqual(typeof callback, 'function');
 
@@ -689,12 +703,15 @@ function configure(appId, data, auditSource, callback) {
         if ('alternateDomains' in data) {
             // TODO validate all subdomains [{ domain: '', subdomain: ''}]
             values.alternateDomains = data.alternateDomains;
+            values.alternateDomains.forEach(function (ad) { ad.subdomain = addSpacesSuffix(ad.subdomain, user); }); // TODO: validate these
         }
 
         domains.get(domain, function (error, domainObject) {
             if (error && error.reason === DomainsError.NOT_FOUND) return callback(new AppsError(AppsError.NOT_FOUND, 'No such domain'));
             if (error) return callback(new AppsError(AppsError.INTERNAL_ERROR, 'Could not get domain info:' + error.message));
 
+            location = addSpacesSuffix(location, user);
+
             error = domains.validateHostname(location, domainObject);
             if (error) return callback(new AppsError(AppsError.BAD_FIELD, 'Bad location: ' + error.message));
 
@@ -917,9 +934,10 @@ function restore(appId, data, auditSource, callback) {
     });
 }
 
-function clone(appId, data, auditSource, callback) {
+function clone(appId, data, user, auditSource, callback) {
     assert.strictEqual(typeof appId, 'string');
     assert.strictEqual(typeof data, 'object');
+    assert(user && typeof user === 'object');
     assert.strictEqual(typeof auditSource, 'object');
     assert.strictEqual(typeof callback, 'function');
 
@@ -958,6 +976,7 @@ function clone(appId, data, auditSource, callback) {
                 if (error && error.reason === DomainsError.NOT_FOUND) return callback(new AppsError(AppsError.EXTERNAL_ERROR, 'No such domain'));
                 if (error) return callback(new AppsError(AppsError.INTERNAL_ERROR, 'Could not get domain info:' + error.message));
 
+                location = addSpacesSuffix(location, user);
                 error = domains.validateHostname(location, domainObject);
                 if (error) return callback(new AppsError(AppsError.BAD_FIELD, 'Bad location: ' + error.message));
 

src/config.js

@@ -38,8 +38,12 @@ exports = module.exports = {
     dkimSelector: dkimSelector,
 
     isDemo: isDemo,
+
+    // feature flags based on editions (these have a separate license from standard edition)
     isSpacesEnabled: isSpacesEnabled,
     allowHyphenatedSubdomains: allowHyphenatedSubdomains,
+    allowOperatorActions: allowOperatorActions,
+    isAdminDomainLocked: isAdminDomainLocked,
 
     // for testing resets to defaults
     _reset: _reset
@@ -233,6 +237,14 @@ function allowHyphenatedSubdomains() {
     return get('edition') === 'hostingprovider';
 }
 
+function allowOperatorActions() {
+    return get('edition') !== 'hostingprovider';
+}
+
+function isAdminDomainLocked() {
+    return get('edition') === 'hostingprovider';
+}
+
 function provider() {
     return get('provider');
 }

src/dns/cloudflare.js

@@ -28,7 +28,7 @@ function translateRequestError(result, callback) {
     if (result.statusCode === 422) return callback(new DomainsError(DomainsError.BAD_FIELD, result.body.message));
     if ((result.statusCode === 400 || result.statusCode === 401 || result.statusCode === 403) && result.body.errors.length > 0) {
         let error = result.body.errors[0];
-        let message = error.message;
+        let message = `message: ${error.message} statusCode: ${result.statusCode} code:${error.code}`;
         if (error.code === 6003) {
             if (error.error_chain[0] && error.error_chain[0].code === 6103) message = 'Invalid API Key';
             else message = 'Invalid credentials';

src/domains.js

@@ -6,6 +6,7 @@ module.exports = exports = {
     getAll: getAll,
     update: update,
     del: del,
+    isLocked: isLocked,
 
     fqdn: fqdn,
     setAdmin: setAdmin,
@@ -205,6 +206,10 @@ function add(domain, zoneName, provider, dnsConfig, fallbackCertificate, tlsConf
     });
 }
 
+function isLocked(domain) {
+    return domain === config.adminDomain() && config.isAdminDomainLocked();
+}
+
 function get(domain, callback) {
     assert.strictEqual(typeof domain, 'string');
     assert.strictEqual(typeof callback, 'function');
@@ -214,6 +219,8 @@ function get(domain, callback) {
         if (error && error.reason === DatabaseError.NOT_FOUND) return callback(new DomainsError(DomainsError.NOT_FOUND));
         if (error) return callback(new DomainsError(DomainsError.INTERNAL_ERROR, error));
 
+        result.locked = isLocked(domain);
+
         reverseProxy.getFallbackCertificate(domain, function (error, bundle) {
             if (error && error.reason !== ReverseProxyError.NOT_FOUND) return callback(new DomainsError(DomainsError.INTERNAL_ERROR, error));
 
@@ -235,6 +242,8 @@ function getAll(callback) {
     domaindb.getAll(function (error, result) {
         if (error) return callback(new DomainsError(DomainsError.INTERNAL_ERROR, error));
 
+        result.forEach(function (r) { r.locked = isLocked(r.domain); });
+
         return callback(null, result);
     });
 }
@@ -301,6 +310,8 @@ function del(domain, callback) {
     assert.strictEqual(typeof domain, 'string');
     assert.strictEqual(typeof callback, 'function');
 
+    if (domain === config.adminDomain()) return callback(new DomainsError(DomainsError.IN_USE));
+
     domaindb.del(domain, function (error) {
         if (error && error.reason === DatabaseError.NOT_FOUND) return callback(new DomainsError(DomainsError.NOT_FOUND));
         if (error && error.reason === DatabaseError.IN_USE) return callback(new DomainsError(DomainsError.IN_USE));
@@ -427,17 +438,17 @@ function setAdmin(domain, callback) {
 
 // removes all fields that are strictly private and should never be returned by API calls
 function removePrivateFields(domain) {
-    var result = _.pick(domain, 'domain', 'zoneName', 'provider', 'config', 'tlsConfig', 'fallbackCertificate');
+    var result = _.pick(domain, 'domain', 'zoneName', 'provider', 'config', 'tlsConfig', 'fallbackCertificate', 'locked');
     if (result.fallbackCertificate) delete result.fallbackCertificate.key;  // do not return the 'key'. in caas, this is private
     return result;
 }
 
 // removes all fields that are not accessible by a normal user
 function removeRestrictedFields(domain) {
-    var result = _.pick(domain, 'domain', 'zoneName', 'provider');
+    var result = _.pick(domain, 'domain', 'zoneName', 'provider', 'locked');
 
     // always ensure config object
     result.config = { hyphenatedSubdomains: !!domain.config.hyphenatedSubdomains };
 
     return result;
-}
+}

src/mail.js

@@ -625,7 +625,7 @@ function txtRecordsWithSpf(domain, callback) {
     assert.strictEqual(typeof callback, 'function');
 
     domains.getDnsRecords('', domain, 'TXT', function (error, txtRecords) {
-        if (error) return callback(error);
+        if (error) return new MailError(MailError.EXTERNAL_ERROR, error.message);
 
         debug('txtRecordsWithSpf: current txt records - %j', txtRecords);
 
@@ -741,10 +741,14 @@ function setDnsRecords(domain, callback) {
             async.mapSeries(records, function (record, iteratorCallback) {
                 domains.upsertDnsRecords(record.subdomain, record.domain, record.type, record.values, iteratorCallback);
             }, function (error, changeIds) {
-                if (error) debug('addDnsRecords: failed to update : %s. will retry', error);
-                else debug('addDnsRecords: records %j added with changeIds %j', records, changeIds);
+                if (error) {
+                    debug(`addDnsRecords: failed to update: ${error}`);
+                    return callback(new MailError(MailError.EXTERNAL_ERROR, error.message));
+                }
 
-                callback(error);
+                debug('addDnsRecords: records %j added with changeIds %j', records, changeIds);
+
+                callback(null);
             });
         });
     });
@@ -772,6 +776,8 @@ function removeDomain(domain, callback) {
     assert.strictEqual(typeof domain, 'string');
     assert.strictEqual(typeof callback, 'function');
 
+    if (domain === config.adminDomain()) return callback(new MailError(MailError.IN_USE));
+
     maildb.del(domain, function (error) {
         if (error && error.reason === DatabaseError.IN_USE) return callback(new MailError(MailError.IN_USE));
         if (error && error.reason === DatabaseError.NOT_FOUND) return callback(new MailError(MailError.NOT_FOUND, error.message));

src/routes/accesscontrol.js

@@ -5,20 +5,16 @@ exports = module.exports = {
     uninitialize: uninitialize,
 
     scope: scope,
-    websocketAuth: websocketAuth,
-    verifyAppOwnership: verifyAppOwnership
+    websocketAuth: websocketAuth
 };
 
 var accesscontrol = require('../accesscontrol.js'),
-    apps = require('../apps.js'),
-    AppsError = apps.AppsError,
     assert = require('assert'),
     BasicStrategy = require('passport-http').BasicStrategy,
     BearerStrategy = require('passport-http-bearer').Strategy,
     clients = require('../clients.js'),
     ClientPasswordStrategy = require('passport-oauth2-client-password').Strategy,
     ClientsError = clients.ClientsError,
-    config = require('../config.js'),
     HttpError = require('connect-lastmile').HttpError,
     LocalStrategy = require('passport-local').Strategy,
     passport = require('passport'),
@@ -142,22 +138,3 @@ function websocketAuth(requiredScopes, req, res, next) {
         next();
     });
 }
-
-function verifyAppOwnership(req, res, next) {
-    if (req.user.admin) return next();
-
-    if (!config.isSpacesEnabled) return next();
-
-    const appCreate = !('id' in req.params);
-
-    if (appCreate) return next(); // ok to install app
-
-    apps.get(req.params.id, function (error, app) {
-        if (error && error.reason === AppsError.NOT_FOUND) return next(new HttpError(404, 'No such app'));
-        if (error) return next(new HttpError(500, error));
-
-        if (app.ownerId !== req.user.id) return next(new HttpError(401, 'Unauthorized'));
-
-        next();
-    });
-}

src/routes/apps.js

@@ -1,6 +1,8 @@
 'use strict';
 
 exports = module.exports = {
+    verifyOwnership: verifyOwnership,
+
     getApp: getApp,
     getApps: getApps,
     getAppIcon: getAppIcon,
@@ -45,12 +47,23 @@ function auditSource(req) {
     return { ip: ip, username: req.user ? req.user.username : null, userId: req.user ? req.user.id : null };
 }
 
-// TODO: move this to model code
-function addSpacesSuffix(location, user) {
-    if (user.admin || !config.isSpacesEnabled()) return location;
+function verifyOwnership(req, res, next) {
+    if (req.user.admin) return next();
 
-    const spacesSuffix = user.username.replace(/\./g, '-');
-    return location === '' ? spacesSuffix : `${location}-${spacesSuffix}`;
+    if (!config.isSpacesEnabled()) return next();
+
+    const appCreate = !('id' in req.params);
+
+    if (appCreate) return next(); // ok to install app
+
+    apps.get(req.params.id, function (error, app) {
+        if (error && error.reason === AppsError.NOT_FOUND) return next(new HttpError(404, 'No such app'));
+        if (error) return next(new HttpError(500, error));
+
+        if (app.ownerId !== req.user.id) return next(new HttpError(401, 'Unauthorized'));
+
+        next();
+    });
 }
 
 function getApp(req, res, next) {
@@ -99,7 +112,6 @@ function installApp(req, res, next) {
 
     // required
     if (typeof data.location !== 'string') return next(new HttpError(400, 'location is required'));
-    data.location = addSpacesSuffix(data.location, req.user);
     if (typeof data.domain !== 'string') return next(new HttpError(400, 'domain is required'));
     if (typeof data.accessRestriction !== 'object') return next(new HttpError(400, 'accessRestriction is required'));
 
@@ -127,9 +139,14 @@ function installApp(req, res, next) {
 
     if (data.robotsTxt && typeof data.robotsTxt !== 'string') return next(new HttpError(400, 'robotsTxt must be a string'));
 
+    if ('alternateDomains' in data) {
+        if (!Array.isArray(data.alternateDomains)) return next(new HttpError(400, 'alternateDomains must be an array'));
+        if (data.alternateDomains.some(function (d) { return (typeof d.domain !== 'string' || typeof d.subdomain !== 'string'); })) return next(new HttpError(400, 'alternateDomains array must contain objects with domain and subdomain strings'));
+    }
+
     debug('Installing app :%j', data);
 
-    apps.install(data, auditSource(req), function (error, app) {
+    apps.install(data, req.user, auditSource(req), function (error, app) {
         if (error && error.reason === AppsError.NOT_FOUND) return next(new HttpError(404, error.message));
         if (error && error.reason === AppsError.ALREADY_EXISTS) return next(new HttpError(409, error.message));
         if (error && error.reason === AppsError.PORT_RESERVED) return next(new HttpError(409, 'Port ' + error.message + ' is reserved.'));
@@ -150,11 +167,7 @@ function configureApp(req, res, next) {
 
     var data = req.body;
 
-    if ('location' in data) {
-        if (typeof data.location !== 'string') return next(new HttpError(400, 'location must be string'));
-        data.location = addSpacesSuffix(data.location, req.user);
-    }
-
+    if ('location' in data && typeof data.location !== 'string') return next(new HttpError(400, 'location must be string'));
     if ('domain' in data && typeof data.domain !== 'string') return next(new HttpError(400, 'domain must be string'));
     if ('portBindings' in data && typeof data.portBindings !== 'object') return next(new HttpError(400, 'portBindings must be an object'));
     if ('accessRestriction' in data && typeof data.accessRestriction !== 'object') return next(new HttpError(400, 'accessRestriction must be an object'));
@@ -179,13 +192,11 @@ function configureApp(req, res, next) {
     if ('alternateDomains' in data) {
         if (!Array.isArray(data.alternateDomains)) return next(new HttpError(400, 'alternateDomains must be an array'));
         if (data.alternateDomains.some(function (d) { return (typeof d.domain !== 'string' || typeof d.subdomain !== 'string'); })) return next(new HttpError(400, 'alternateDomains array must contain objects with domain and subdomain strings'));
-
-        data.alternateDomains.forEach(function (ad) { ad.subdomain = addSpacesSuffix(ad.subdomain, req.user); });
     }
 
     debug('Configuring app id:%s data:%j', req.params.id, data);
 
-    apps.configure(req.params.id, data, auditSource(req), function (error) {
+    apps.configure(req.params.id, data, req.user, auditSource(req), function (error) {
         if (error && error.reason === AppsError.ALREADY_EXISTS) return next(new HttpError(409, error.message));
         if (error && error.reason === AppsError.PORT_RESERVED) return next(new HttpError(409, 'Port ' + error.message + ' is reserved.'));
         if (error && error.reason === AppsError.PORT_CONFLICT) return next(new HttpError(409, 'Port ' + error.message + ' is already in use.'));
@@ -232,11 +243,10 @@ function cloneApp(req, res, next) {
 
     if (typeof data.backupId !== 'string') return next(new HttpError(400, 'backupId must be a string'));
     if (typeof data.location !== 'string') return next(new HttpError(400, 'location is required'));
-    data.location = addSpacesSuffix(data.location, req.user);
     if (typeof data.domain !== 'string') return next(new HttpError(400, 'domain is required'));
     if (('portBindings' in data) && typeof data.portBindings !== 'object') return next(new HttpError(400, 'portBindings must be an object'));
 
-    apps.clone(req.params.id, data, auditSource(req), function (error, result) {
+    apps.clone(req.params.id, data, req.user, auditSource(req), function (error, result) {
         if (error && error.reason === AppsError.NOT_FOUND) return next(new HttpError(404, 'No such app'));
         if (error && error.reason === AppsError.PORT_RESERVED) return next(new HttpError(409, 'Port ' + error.message + ' is reserved.'));
         if (error && error.reason === AppsError.PORT_CONFLICT) return next(new HttpError(409, 'Port ' + error.message + ' is already in use.'));

src/routes/domains.js

@@ -5,7 +5,9 @@ exports = module.exports = {
     get: get,
     getAll: getAll,
     update: update,
-    del: del
+    del: del,
+
+    verifyDomainLock: verifyDomainLock
 };
 
 var assert = require('assert'),
@@ -14,6 +16,14 @@ var assert = require('assert'),
     HttpError = require('connect-lastmile').HttpError,
     HttpSuccess = require('connect-lastmile').HttpSuccess;
 
+function verifyDomainLock(req, res, next) {
+    assert.strictEqual(typeof req.params.domain, 'string');
+
+    if (domains.isLocked(req.params.domain)) return next(new HttpError(423, 'This domain is locked'));
+
+    next();
+}
+
 function add(req, res, next) {
     assert.strictEqual(typeof req.body, 'object');
 

src/routes/mail.js

@@ -88,6 +88,7 @@ function setDnsRecords(req, res, next) {
 
     mail.setDnsRecords(req.params.domain, function (error) {
         if (error && error.reason === MailError.NOT_FOUND) return next(new HttpError(404, error.message));
+        if (error && error.reason === MailError.EXTERNAL_ERROR) return next(new HttpError(503, error.message));
         if (error) return next(new HttpError(500, error));
 
         next(new HttpSuccess(201));

src/routes/users.js

@@ -11,10 +11,12 @@ exports = module.exports = {
     createInvite: createInvite,
     sendInvite: sendInvite,
     setGroups: setGroups,
-    transferOwnership: transferOwnership
+    transferOwnership: transferOwnership,
+    verifyOperator: verifyOperator
 };
 
 var assert = require('assert'),
+    config = require('../config.js'),
     HttpError = require('connect-lastmile').HttpError,
     HttpSuccess = require('connect-lastmile').HttpSuccess,
     users = require('../users.js'),
@@ -25,6 +27,12 @@ function auditSource(req) {
     return { ip: ip, username: req.user ? req.user.username : null, userId: req.user ? req.user.id : null };
 }
 
+function verifyOperator(req, res, next) {
+    if (config.allowOperatorActions()) return next();
+
+    next(new HttpError(401, 'Not allowed in this edition'));
+}
+
 function create(req, res, next) {
     assert.strictEqual(typeof req.body, 'object');
 

src/server.js

@@ -94,7 +94,7 @@ function initializeExpressSync() {
     var usersReadScope = routes.accesscontrol.scope(accesscontrol.SCOPE_USERS_READ);
     var usersManageScope = routes.accesscontrol.scope(accesscontrol.SCOPE_USERS_MANAGE);
     var appsReadScope = routes.accesscontrol.scope(accesscontrol.SCOPE_APPS_READ);
-    var appsManageScope = [ routes.accesscontrol.scope(accesscontrol.SCOPE_APPS_MANAGE), routes.accesscontrol.verifyAppOwnership ];
+    var appsManageScope = [ routes.accesscontrol.scope(accesscontrol.SCOPE_APPS_MANAGE), routes.apps.verifyOwnership ];
     var settingsScope = routes.accesscontrol.scope(accesscontrol.SCOPE_SETTINGS);
     var mailScope = routes.accesscontrol.scope(accesscontrol.SCOPE_MAIL);
     var clientsScope = routes.accesscontrol.scope(accesscontrol.SCOPE_CLIENTS);
@@ -102,6 +102,9 @@ function initializeExpressSync() {
     var domainsManageScope = routes.accesscontrol.scope(accesscontrol.SCOPE_DOMAINS_MANAGE);
     var appstoreScope = routes.accesscontrol.scope(accesscontrol.SCOPE_APPSTORE);
 
+    const verifyOperator = routes.users.verifyOperator;
+    const verifyDomainLock = routes.domains.verifyDomainLock;
+
     // csrf protection
     var csrf = routes.oauth2.csrf();
 
@@ -126,10 +129,10 @@ function initializeExpressSync() {
     router.get ('/api/v1/cloudron/disks', cloudronScope, routes.cloudron.getDisks);
     router.get ('/api/v1/cloudron/logs/:unit', cloudronScope, routes.cloudron.getLogs);
     router.get ('/api/v1/cloudron/logstream/:unit', cloudronScope, routes.cloudron.getLogStream);
-    router.get ('/api/v1/cloudron/ssh/authorized_keys', cloudronScope, routes.ssh.getAuthorizedKeys);
-    router.put ('/api/v1/cloudron/ssh/authorized_keys', cloudronScope, routes.ssh.addAuthorizedKey);
-    router.get ('/api/v1/cloudron/ssh/authorized_keys/:identifier', cloudronScope, routes.ssh.getAuthorizedKey);
-    router.del ('/api/v1/cloudron/ssh/authorized_keys/:identifier', cloudronScope, routes.ssh.delAuthorizedKey);
+    router.get ('/api/v1/cloudron/ssh/authorized_keys', cloudronScope, verifyOperator, routes.ssh.getAuthorizedKeys);
+    router.put ('/api/v1/cloudron/ssh/authorized_keys', cloudronScope, verifyOperator, routes.ssh.addAuthorizedKey);
+    router.get ('/api/v1/cloudron/ssh/authorized_keys/:identifier', cloudronScope, verifyOperator, routes.ssh.getAuthorizedKey);
+    router.del ('/api/v1/cloudron/ssh/authorized_keys/:identifier', cloudronScope, verifyOperator, routes.ssh.delAuthorizedKey);
     router.get ('/api/v1/cloudron/eventlog', cloudronScope, routes.eventlog.get);
 
     // config route (for dashboard)
@@ -209,7 +212,7 @@ function initializeExpressSync() {
     router.get ('/api/v1/apps/:id/logs',      appsManageScope, routes.apps.getLogs);
     router.get ('/api/v1/apps/:id/exec',      appsManageScope, routes.apps.exec);
     // websocket cannot do bearer authentication
-    router.get ('/api/v1/apps/:id/execws',    routes.accesscontrol.websocketAuth.bind(null, [ accesscontrol.SCOPE_APPS_MANAGE ]), routes.accesscontrol.verifyAppOwnership, routes.apps.execWebSocket);
+    router.get ('/api/v1/apps/:id/execws',    routes.accesscontrol.websocketAuth.bind(null, [ accesscontrol.SCOPE_APPS_MANAGE ]), routes.apps.verifyOwnership, routes.apps.execWebSocket);
     router.post('/api/v1/apps/:id/clone',     appsManageScope, routes.apps.cloneApp);
     router.get ('/api/v1/apps/:id/download',  appsManageScope, routes.apps.downloadFile);
     router.post('/api/v1/apps/:id/upload',    appsManageScope, multipart, routes.apps.uploadFile);
@@ -224,15 +227,15 @@ function initializeExpressSync() {
     router.post('/api/v1/settings/cloudron_name',      settingsScope, routes.settings.setCloudronName);
     router.get ('/api/v1/settings/cloudron_avatar',    settingsScope, routes.settings.getCloudronAvatar);
     router.post('/api/v1/settings/cloudron_avatar',    settingsScope, multipart, routes.settings.setCloudronAvatar);
-    router.get ('/api/v1/settings/backup_config',      settingsScope, routes.settings.getBackupConfig);
-    router.post('/api/v1/settings/backup_config',      settingsScope, routes.settings.setBackupConfig);
-    router.get ('/api/v1/settings/platform_config',      settingsScope, routes.settings.getPlatformConfig);
-    router.post('/api/v1/settings/platform_config',      settingsScope, routes.settings.setPlatformConfig);
+    router.get ('/api/v1/settings/backup_config',      settingsScope, verifyOperator, routes.settings.getBackupConfig);
+    router.post('/api/v1/settings/backup_config',      settingsScope, verifyOperator, routes.settings.setBackupConfig);
+    router.get ('/api/v1/settings/platform_config',    settingsScope, verifyOperator, routes.settings.getPlatformConfig);
+    router.post('/api/v1/settings/platform_config',    settingsScope, verifyOperator, routes.settings.setPlatformConfig);
 
     router.get ('/api/v1/settings/time_zone',          settingsScope, routes.settings.getTimeZone);
     router.post('/api/v1/settings/time_zone',          settingsScope, routes.settings.setTimeZone);
-    router.get ('/api/v1/settings/appstore_config',    appstoreScope, routes.settings.getAppstoreConfig);
-    router.post('/api/v1/settings/appstore_config',    appstoreScope, routes.settings.setAppstoreConfig);
+    router.get ('/api/v1/settings/appstore_config',    appstoreScope, verifyOperator, routes.settings.getAppstoreConfig);
+    router.post('/api/v1/settings/appstore_config',    appstoreScope, verifyOperator, routes.settings.setAppstoreConfig);
 
     // email routes
     router.get ('/api/v1/mail/:domain',       mailScope, routes.mail.getDomain);
@@ -261,7 +264,7 @@ function initializeExpressSync() {
     router.del ('/api/v1/mail/:domain/lists/:name', mailScope, routes.mail.removeList);
 
     // feedback
-    router.post('/api/v1/feedback', cloudronScope, routes.cloudron.feedback);
+    router.post('/api/v1/feedback', cloudronScope, verifyOperator, routes.cloudron.feedback);
 
     // backup routes
     router.get ('/api/v1/backups', settingsScope, routes.backups.get);
@@ -270,9 +273,9 @@ function initializeExpressSync() {
     // domain routes
     router.post('/api/v1/domains', domainsManageScope, routes.domains.add);
     router.get ('/api/v1/domains', domainsReadScope, routes.domains.getAll);
-    router.get ('/api/v1/domains/:domain', domainsManageScope, routes.domains.get);  // this is manage scope because it returns non-restricted fields
-    router.put ('/api/v1/domains/:domain', domainsManageScope, routes.domains.update);
-    router.del ('/api/v1/domains/:domain', domainsManageScope, routes.users.verifyPassword, routes.domains.del);
+    router.get ('/api/v1/domains/:domain', domainsManageScope, verifyDomainLock, routes.domains.get);  // this is manage scope because it returns non-restricted fields
+    router.put ('/api/v1/domains/:domain', domainsManageScope, verifyDomainLock, routes.domains.update);
+    router.del ('/api/v1/domains/:domain', domainsManageScope, verifyDomainLock, routes.users.verifyPassword, routes.domains.del);
 
     // caas routes
     router.get('/api/v1/caas/config', cloudronScope, routes.caas.getConfig);