NM-258: separate Ui and client api for delete host

controllers/hosts.go

@@ -36,8 +36,12 @@ func hostHandlers(r *mux.Router) {
 		Methods(http.MethodPost)
 	r.HandleFunc("/api/hosts/{hostid}", logic.SecurityCheck(true, http.HandlerFunc(updateHost))).
 		Methods(http.MethodPut)
+		// used by netclient
 	r.HandleFunc("/api/hosts/{hostid}", AuthorizeHost(http.HandlerFunc(deleteHost))).
 		Methods(http.MethodDelete)
+		// used by UI
+	r.HandleFunc("/api/v1/ui/hosts/{hostid}", logic.SecurityCheck(true, http.HandlerFunc(deleteHost))).
+		Methods(http.MethodDelete)
 	r.HandleFunc("/api/hosts/{hostid}/upgrade", logic.SecurityCheck(true, http.HandlerFunc(upgradeHost))).
 		Methods(http.MethodPut)
 	r.HandleFunc("/api/hosts/{hostid}/networks/{network}", logic.SecurityCheck(true, http.HandlerFunc(addHostToNetwork))).
@@ -532,8 +536,7 @@ func deleteHost(w http.ResponseWriter, r *http.Request) {
 	})
 	apiHostData := currHost.ConvertNMHostToAPI()
 	logger.Log(2, r.Header.Get("user"), "removed host", currHost.Name)
-	w.WriteHeader(http.StatusOK)
-	json.NewEncoder(w).Encode(apiHostData)
+	logic.ReturnSuccessResponseWithJson(w, r, apiHostData, "deleted host "+currHost.Name)
 }
 
 // @Summary     To Add Host To Network

controllers/node.go

@@ -139,12 +139,12 @@ func AuthorizeHost(
 	next http.Handler,
 ) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
-
+		var forbiddenResponse = models.ErrorResponse{
+			Code: http.StatusForbidden, Message: logic.Forbidden_Msg,
+		}
 		w.Header().Set("Content-Type", "application/json")
 
-		//get the auth token
 		bearerToken := r.Header.Get("Authorization")
-
 		var tokenSplit = strings.Split(bearerToken, " ")
 		var authToken = ""
 
@@ -155,12 +155,27 @@ func AuthorizeHost(
 			authToken = tokenSplit[1]
 		}
 
-		if hostID, _, _, err := logic.VerifyHostToken(authToken); err == nil {
-			r.Header.Set(hostIDHeader, hostID)
-			next.ServeHTTP(w, r)
+		id, _, _, err := logic.VerifyHostToken(authToken)
+		if err != nil {
+			logic.ReturnErrorResponse(w, r, logic.FormatError(logic.Unauthorized_Err, logic.Unauthorized_Msg))
 			return
 		}
-		logic.ReturnErrorResponse(w, r, logic.FormatError(logic.Unauthorized_Err, logic.Unauthorized_Msg))
+
+		// master key bypasses ownership checks
+		if id != logic.MasterUser {
+			params := mux.Vars(r)
+			if paramHostID := params["hostid"]; paramHostID != "" && id != paramHostID {
+				logic.ReturnErrorResponse(w, r, forbiddenResponse)
+				return
+			}
+			if paramNodeID := params["nodeid"]; paramNodeID != "" && id != paramNodeID {
+				logic.ReturnErrorResponse(w, r, forbiddenResponse)
+				return
+			}
+		}
+
+		r.Header.Set(hostIDHeader, id)
+		next.ServeHTTP(w, r)
 	}
 }