Invoices: Allow admin to see invoices of users (#6517)

* Invoices: Allow admin to see invoices of users

Fixes #6489. As discussed with @TChukwuleta, this succeeds and closes #6497.

* Invoices: Allow admin to see invoices of users

Fixes #6489. As discussed with @TChukwuleta, this succeeds and closes #6497.

* Update controller to allow admin access for basic invoice actions

BTCPayServer/Controllers/UIInvoiceController.UI.cs

@@ -56,8 +56,8 @@ namespace BTCPayServer.Controllers
         {
             var invoice = (await _InvoiceRepository.GetInvoices(new InvoiceQuery
             {
-                InvoiceId = new[] { invoiceId },
+                InvoiceId = [invoiceId],
-                UserId = GetUserId()
+                UserId = GetUserIdForInvoiceQuery()
             })).FirstOrDefault();
             if (invoice is null)
                 return NotFound();
@@ -71,11 +71,11 @@ namespace BTCPayServer.Controllers
         [Authorize(Policy = Policies.CanModifyStoreSettings, AuthenticationSchemes = AuthenticationSchemes.Cookie)]
         public async Task<IActionResult> RedeliverWebhook(string storeId, string invoiceId, string deliveryId)
         {
-            var invoice = (await _InvoiceRepository.GetInvoices(new InvoiceQuery()
+            var invoice = (await _InvoiceRepository.GetInvoices(new InvoiceQuery
             {
-                InvoiceId = new[] { invoiceId },
+                InvoiceId = [invoiceId],
-                StoreId = new[] { storeId },
+                StoreId = [storeId],
-                UserId = GetUserId()
+                UserId = GetUserIdForInvoiceQuery()
             })).FirstOrDefault();
             if (invoice is null)
                 return NotFound();
@@ -100,8 +100,8 @@ namespace BTCPayServer.Controllers
         {
             var invoice = (await _InvoiceRepository.GetInvoices(new InvoiceQuery
             {
-                InvoiceId = new[] { invoiceId },
+                InvoiceId = [invoiceId],
-                UserId = GetUserId(),
+                UserId = GetUserIdForInvoiceQuery(),
                 IncludeAddresses = true,
                 IncludeArchived = true,
                 IncludeRefunds = true,
@@ -599,8 +599,8 @@ namespace BTCPayServer.Controllers
         {
             var invoice = (await _InvoiceRepository.GetInvoices(new InvoiceQuery
             {
-                InvoiceId = new[] { invoiceId },
+                InvoiceId = [invoiceId],
-                UserId = GetUserId(),
+                UserId = GetUserIdForInvoiceQuery(),
                 IncludeAddresses = false,
                 IncludeArchived = true,
             })).FirstOrDefault();
@@ -1116,7 +1116,7 @@ namespace BTCPayServer.Controllers
             return new InvoiceQuery
             {
                 TextSearch = textSearch,
-                UserId = GetUserId(),
+                UserId = GetUserIdForInvoiceQuery(),
                 Unusual = fs.GetFilterBool("unusual"),
                 IncludeArchived = fs.GetFilterBool("includearchived") ?? false,
                 Status = fs.GetFilterArray("status"),
@@ -1257,8 +1257,8 @@ namespace BTCPayServer.Controllers
         {
             var invoice = (await _InvoiceRepository.GetInvoices(new InvoiceQuery
             {
-                InvoiceId = new[] { invoiceId },
+                InvoiceId = [invoiceId],
-                UserId = GetUserId()
+                UserId = GetUserIdForInvoiceQuery()
             })).FirstOrDefault();
             var model = new InvoiceStateChangeModel();
             if (invoice == null)
@@ -1292,6 +1292,9 @@ namespace BTCPayServer.Controllers
 
         private string GetUserId() => _UserManager.GetUserId(User)!;
 
+        // Let server admin lookup invoices from users, see #6489
+        private string? GetUserIdForInvoiceQuery() => User.IsInRole(Roles.ServerAdmin) ? null : GetUserId();
+
         private SelectList GetPaymentMethodsSelectList(StoreData store)
         {
             return new SelectList(store.GetPaymentMethodConfigs(_handlers, true)