fix perms on plugins

2025-12-17 07:34:24 +01:00 · 2024-03-15 16:00:30 +01:00
parent 0efd3fc53a
commit f60f98dc14
6 changed files with 49 additions and 55 deletions
--- a/Plugins/BTCPayServer.Plugins.Bringin/BringinController.cs
+++ b/Plugins/BTCPayServer.Plugins.Bringin/BringinController.cs
@@ -9,7 +9,6 @@ using Microsoft.AspNetCore.Mvc;
 namespace BTCPayServer.Plugins.Bringin;

 [Authorize(AuthenticationSchemes = AuthenticationSchemes.Cookie)]
-[Authorize(Policy = Policies.CanModifyStoreSettings, AuthenticationSchemes = AuthenticationSchemes.Cookie)]
 [Route("plugins/{storeId}/Bringin")]
 public class BringinController : Controller
 {
@@ -24,11 +23,10 @@ public class BringinController : Controller
        _btcPayNetworkProvider = btcPayNetworkProvider;
    }
    
+    [Authorize(Policy = Policies.CanModifyStoreSettings, AuthenticationSchemes = AuthenticationSchemes.Cookie)]
    [HttpGet("onboard")]
    public async Task<IActionResult> Onboard(string storeId)
    {
-        
-       
        var vm = await _bringinService.Update(storeId);
        
        var callbackUri = Url.Action("Callback", "Bringin", new
@@ -43,6 +41,7 @@ public class BringinController : Controller
        return Redirect(onboardUri.ToString());
    }

+    [Authorize(Policy = Policies.CanViewStoreSettings, AuthenticationSchemes = AuthenticationSchemes.Cookie)]
    [HttpGet("")]
    public async Task<IActionResult> Edit()
    {
@@ -51,6 +50,7 @@ public class BringinController : Controller
    
    [HttpPost("callback")]
    [HttpGet("callback")]
+    [AllowAnonymous]
    public async Task<IActionResult> Callback(string storeId, string code, [FromBody]BringinVerificationUpdate content)
    {
        var vm = await _bringinService.Update(storeId);
@@ -73,27 +73,4 @@ public class BringinController : Controller
        public string verificationStatus { get; set; }
    }
    
-
-    
-
-    // [HttpGet("callback")]
-    // public async Task<IActionResult> Callback(string storeId, string apiKey, string code)
-    // {
-    //     //truncate with showing only first 3 letters on start ond end
-    //
-    //     var truncatedApikey = apiKey.Substring(0, 3) + "***" + apiKey.Substring(apiKey.Length - 3);
-    //
-    //     return View("Confirm",
-    //         new ConfirmModel("Confirm Bringin API Key",
-    //             $"You are about to set your Bringin API key to {truncatedApikey}", "Set", "btn-primary"));
-    // }
-    //
-    // [HttpPost("callback")]
-    // public async Task<IActionResult> CallbackConfirm(string storeId, string apiKey)
-    // {
-    //     var vm = await _bringinService.Update(storeId);
-    //     vm.ApiKey = apiKey;
-    //     await _bringinService.Update(storeId, vm);
-    //     return RedirectToAction("Edit", new {storeId});
-    // }
 }
--- a/Plugins/BTCPayServer.Plugins.Bringin/Components/BringinWidget.razor
+++ b/Plugins/BTCPayServer.Plugins.Bringin/Components/BringinWidget.razor
@@ -1,5 +1,6 @@
@using System.Threading
@using BTCPayServer.Abstractions.Extensions
+@using BTCPayServer.Client
@using BTCPayServer.Data
@using BTCPayServer.Payments
@using BTCPayServer.PayoutProcessors
@@ -10,6 +11,7 @@
@using NBitcoin
@implements IAsyncDisposable;

+
@code {
    private BringinService.BringinStoreSettings? _settings;
    private bool _isLoaded = false;
@@ -23,6 +25,7 @@
    [Inject] private BTCPayNetworkProvider BTCPayNetworkProvider { get; set; }
    [Inject] private IHttpClientFactory HttpClientFactory { get; set; }
    [Inject] private PayoutProcessorService PayoutProcessorService { get; set; }
+    [Inject] private IAuthorizationService AuthorizationService { get; set; } 
    [Parameter] public string StoreId { get; set; }
    private decimal? LastFiatBalance { get; set; }
    private DateTimeOffset? LastDataFetch { get; set; }
@@ -66,11 +69,13 @@
    }

    private bool _editMode;
+    private bool _readOnly;

    protected override async Task OnAfterRenderAsync(bool firstRender)
    {
        if (firstRender)
        {
+            _readOnly = !(await AuthorizationService.AuthorizeAsync(HttpContextAccessor.HttpContext.User, StoreId, Policies.CanModifyStoreSettings )).Succeeded; 
            OnboardLink = LinkGenerator.GetUriByAction(HttpContextAccessor.HttpContext, "Onboard", "Bringin", new {StoreId});
            PmiLink = $"A payout processor has not been configured for this payment method. Payouts generated by Bringin will not be automatically handled. <a href=\"{LinkGenerator.GetUriByAction(HttpContextAccessor.HttpContext, "ConfigureStorePayoutProcessors", "UIPayoutProcessors", new {StoreId})}\">Configure now</a>";
            _callbackLink = LinkGenerator.GetUriByAction(HttpContextAccessor.HttpContext, "Callback", "Bringin", new {StoreId});
@@ -338,6 +343,8 @@

            </h4>

+            @if (!_readOnly)
+            {
                <div class="d-flex gap-2">
                    @if (_manualOrder)
                    {
@@ -363,6 +370,7 @@
                        <button class="btn  btn-sm btn-outline-secondary" @onclick="CancelEdit" disabled="@_saving">Cancel edit</button>
                    }
                </div>
+            }
        </header>


@@ -371,10 +379,14 @@
            <p class="text-secondary my-3">
                Bringin is a service that allows you to automatically convert your BTC to EUR and send it to your bank account. Start configuring it by clicking on the button below.
            </p>
+            
+            @if (!_readOnly)
+            {
                <div class="d-flex">
                    <button class="btn btn-lg btn-outline-primary" @onclick="Edit">Configure</button>
                </div>
            }
+        }
        else if (_manualOrder)
        {
            var items = new List<PaymentMethodId>();
@@ -439,7 +451,7 @@
                </div>
            </div>
        }
-        else if (!EditMode)
+        else if (!EditMode || _readOnly)
        {
            @if (LastFiatBalance is not null)
            {
--- a/Plugins/BTCPayServer.Plugins.Bringin/Views/Shared/Bringin/Nav.cshtml
+++ b/Plugins/BTCPayServer.Plugins.Bringin/Views/Shared/Bringin/Nav.cshtml
@@ -9,7 +9,7 @@
@if (!string.IsNullOrEmpty(storeId))
 {
    <li class="nav-item">
-        <a permission="@Policies.CanModifyStoreSettings" asp-controller="Bringin" asp-action="Edit" asp-route-storeId="@storeId" class="nav-link @ViewData.IsActivePage("Bringin")" id="Nav-Bringin">
+        <a permission="@Policies.CanViewStoreSettings" asp-controller="Bringin" asp-action="Edit" asp-route-storeId="@storeId" class="nav-link @ViewData.IsActivePage("Bringin")" id="Nav-Bringin">
            <svg xmlns="http://www.w3.org/2000/svg" style="margin-right: 7px;"  width="14.000000pt" height="14.000000pt" viewBox="0 0 32.000000 32.000000" preserveAspectRatio="xMidYMid meet">
            
            <g transform="translate(0.000000,32.000000) scale(0.100000,-0.100000)" fill="currentColor" stroke="none">
--- a/Plugins/BTCPayServer.Plugins.Wabisabi/Views/Shared/Wabisabi/WabisabiDashboard.cshtml
+++ b/Plugins/BTCPayServer.Plugins.Wabisabi/Views/Shared/Wabisabi/WabisabiDashboard.cshtml
@@ -1,6 +1,10 @@
@using BTCPayServer.Abstractions.Contracts
+@using BTCPayServer.Abstractions.TagHelpers
+@using BTCPayServer.Client
@using BTCPayServer.Common
+@using BTCPayServer.Components.TruncateCenter
@using BTCPayServer.Plugins.Wabisabi
+@using Microsoft.AspNetCore.Mvc.TagHelpers
@using Microsoft.Extensions.Logging
@using NBitcoin
@using WalletWasabi.WabiSabi.Backend.Rounds
@@ -33,7 +37,7 @@

        @if (!enabledSettings.Any())
        {
-            <div class="widget">
+            <div class="widget" permission="@Policies.CanModifyStoreSettings">
                <partial name="../WabisabiStore/UpdateWabisabiStoreSettings" model="@settings"/>
            </div>
        }
@@ -279,7 +283,7 @@ updateInProgressAnimation(myChart);
                            @(settings.Active ? "Deactivate" : "Activate")
                        </a>
                        -
-                        <a asp-controller="WabisabiStore" asp-action="UpdateWabisabiStoreSettings" asp-route-storeId="@storeId" class="fw-semibold">
+                        <a asp-controller="WabisabiStore" asp-action="UpdateWabisabiStoreSettings" asp-route-storeId="@storeId" class="fw-semibold" permission="@Policies.CanModifyStoreSettings">
                            Configure
                        </a>
                    </div>
--- a/Plugins/BTCPayServer.Plugins.Wabisabi/Views/Shared/Wabisabi/WabisabiNav.cshtml
+++ b/Plugins/BTCPayServer.Plugins.Wabisabi/Views/Shared/Wabisabi/WabisabiNav.cshtml
@@ -1,4 +1,5 @@
@using BTCPayServer.Abstractions.Contracts
+@using BTCPayServer.Client
@using BTCPayServer.Plugins.Wabisabi
@inject IScopeProvider ScopeProvider
@{
@@ -8,7 +9,7 @@
 }
@if (!string.IsNullOrEmpty(storeId))
 {
-    <li class="nav-item">
+    <li class="nav-item" permission="@Policies.CanModifyStoreSettings">
        <a asp-area="" asp-controller="WabisabiStore" asp-action="UpdateWabisabiStoreSettings" asp-route-storeId="@storeId" class="nav-link js-scroll-trigger @(isActive? "active": string.Empty)">
            <svg xmlns="http://www.w3.org/2000/svg"  viewBox="0 0 24 24" class="icon" style="height: 14px;"> 
                <path fill="currentColor" d="M12 4.942c1.827 1.105 3.474 1.6 5 1.833v7.76c0 1.606-.415 1.935-5 4.76v-14.353zm9-1.942v11.535c0 4.603-3.203 5.804-9 9.465-5.797-3.661-9-4.862-9-9.465v-11.535c3.516 0 5.629-.134 9-3 3.371 2.866 5.484 3 9 3zm-2 1.96c-2.446-.124-4.5-.611-7-2.416-2.5 1.805-4.554 2.292-7 2.416v9.575c0 3.042 1.69 3.83 7 7.107 5.313-3.281 7-4.065 7-7.107v-9.575z"/></svg>
--- a/submodules/btcpayserver
+++ b/submodules/btcpayserver