Remove the password from API GET responses

While keeping it for POST/PUT.

fix #289

CHANGELOG.rst

@@ -12,6 +12,7 @@ Breaking changes
 - ``ADMIN_PASSWORD`` is now stored hashed. The ``ihatemoney generate_password_hash`` command can now be used to generate a proper password HASH (#236)
 - Turn the WSGI file into a python module, renamed from budget/ihatemoney.wsgi to ihatemoney/wsgi.py. Please update your Apache/Gunicorn configuration! (#218)
 - Admin privileges are now required to access the dashboard (#262)
+- `password` field has been removed from project API GET views (#289)
 
 Changed
 =======

ihatemoney/models.py

@@ -14,7 +14,7 @@ db = SQLAlchemy()
 class Project(db.Model):
 
     _to_serialize = (
-        "id", "name", "password", "contact_email", "members", "active_members",
+        "id", "name",  "contact_email", "members", "active_members",
         "balance"
     )
 

ihatemoney/tests/tests.py

@@ -1076,7 +1076,6 @@ class APITestCase(IhatemoneyTestCase):
             "balance": {},
         }
         decoded_resp = json.loads(resp.data.decode('utf-8'))
-        self.assertTrue(check_password_hash(decoded_resp.pop('password'), 'raclette'))
         self.assertDictEqual(decoded_resp, expected)
 
         # edit should work
@@ -1341,7 +1340,6 @@ class APITestCase(IhatemoneyTestCase):
 
         self.assertStatus(200, req)
         decoded_req = json.loads(req.data.decode('utf-8'))
-        self.assertTrue(check_password_hash(decoded_req.pop('password'), 'raclette'))
         self.assertDictEqual(decoded_req, expected)