aljaz/btcpayserver
1
0
Fork 0
mirror of https://github.com/aljazceru/btcpayserver.git synced 2025-12-17 22:14:26 +01:00
Code Issues Packages Projects Releases Wiki Activity

Restrict authentication to the APIController to GreenFieldAPIKeys

Browse Source
This commit is contained in:
nicolas.dorier
2020-03-27 13:13:40 +09:00
parent d219ba5d32
commit 08abda1522
5 changed files with 9 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
BTCPayServer/Controllers/GreenField/UsersController.cs
View File

@@ -82,7 +82,7 @@ namespace BTCPayServer.Controllers.GreenField
// Even if subscription are unlocked, it is forbidden to create admin unauthenticated
if (anyAdmin && request.IsAdministrator is true && !isAuth)
return Forbid(AuthenticationSchemes.Greenfield);
return Forbid(AuthenticationSchemes.GreenfieldBasic);
// You are de-facto admin if there is no other admin, else you need to be auth and pass policy requirements
bool isAdmin = anyAdmin ? (await _authorizationService.AuthorizeAsync(User, null, new PolicyRequirement(Policies.CanModifyServerSettings))).Succeeded
&& (await _authorizationService.AuthorizeAsync(User, null, new PolicyRequirement(Policies.Unrestricted))).Succeeded
@@ -90,14 +90,14 @@ namespace BTCPayServer.Controllers.GreenField
: true;
// You need to be admin to create an admin
if (request.IsAdministrator is true && !isAdmin)
return Forbid(AuthenticationSchemes.Greenfield);
return Forbid(AuthenticationSchemes.GreenfieldBasic);
if (!isAdmin && policies.LockSubscription)
{
// If we are not admin and subscriptions are locked, we need to check the Policies.CanCreateUser.Key permission
var canCreateUser = (await _authorizationService.AuthorizeAsync(User, null, new PolicyRequirement(Policies.CanCreateUser))).Succeeded;
if (!isAuth || !canCreateUser)
return Forbid(AuthenticationSchemes.Greenfield);
return Forbid(AuthenticationSchemes.GreenfieldBasic);
}
var user = new ApplicationUser