aljaz/btcpayserver
1
0
Fork 0
mirror of https://github.com/aljazceru/btcpayserver.git synced 2025-12-17 14:04:26 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix bug: When creating API Key for non-admin, some checked permissions were not included (Fix #2107 and Fix #2002)

Browse Source
This commit is contained in:
nicolas.dorier
2020-12-08 15:20:59 +09:00
parent dd5fd2e5bb
commit 13f10657b8
3 changed files with 28 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
BTCPayServer.Tests/ApiKeysTests.cs
View File

@@ -173,6 +173,24 @@ namespace BTCPayServer.Tests
s.Driver.Navigate().GoToUrl(authUrl); s.Driver.Navigate().GoToUrl(authUrl);
Assert.False(s.Driver.Url.StartsWith("https://international.com/callback")); Assert.False(s.Driver.Url.StartsWith("https://international.com/callback"));
// Make sure we can check all permissions when not an admin
await user.MakeAdmin(false);
s.Logout();
s.GoToLogin();
s.Login(user.RegisterDetails.Email, user.RegisterDetails.Password);
s.GoToProfile(ManageNavPages.APIKeys);
s.Driver.FindElement(By.Id("AddApiKey")).Click();
int checkedPermissionCount = 0;
foreach (var checkbox in s.Driver.FindElements(By.ClassName("form-check-input")))
{
checkedPermissionCount++;
checkbox.Click();
}
s.Driver.FindElement(By.Id("Generate")).Click();
var allAPIKey = s.AssertHappyMessage().FindElement(By.TagName("code")).Text;
var apikeydata = await TestApiAgainstAccessToken<ApiKeyData>(allAPIKey, $"api/v1/api-keys/current", tester.PayTester.HttpClient);
Assert.Equal(checkedPermissionCount, apikeydata.Permissions.Length);
} }
} }

2
BTCPayServer/Controllers/ManageController.APIKeys.cs
View File

@@ -437,7 +437,7 @@ namespace BTCPayServer.Controllers
if (!isAdmin) if (!isAdmin)
{ {
foreach (var p in viewModel.PermissionValues.Where(item => Policies.IsServerPolicy(item.Permission))) foreach (var p in viewModel.PermissionValues.Where(item => item.Permission is null || Policies.IsServerPolicy(item.Permission)))
{ {
p.Forbidden = true; p.Forbidden = true;
} }

14
BTCPayServer/Views/Manage/AddApiKey.cshtml
View File

@@ -26,17 +26,21 @@
<div class="list-group mb-4"> <div class="list-group mb-4">
@for (int i = 0; i < Model.PermissionValues.Count; i++) @for (int i = 0; i < Model.PermissionValues.Count; i++)
{ {
@if (!Model.PermissionValues[i].Forbidden) @if (Model.PermissionValues[i].Forbidden)
{ {
<input type="hidden" asp-for="PermissionValues[i].Permission"/> <input type="hidden" asp-for="PermissionValues[i].Value" value="false" />
}
else
{
<input type="hidden" asp-for="PermissionValues[i].Permission" />
@if (Policies.IsStorePolicy(Model.PermissionValues[i].Permission)) @if (Policies.IsStorePolicy(Model.PermissionValues[i].Permission))
{ {
<input type="hidden" asp-for="PermissionValues[i].StoreMode" value="@Model.PermissionValues[i].StoreMode"/> <input type="hidden" asp-for="PermissionValues[i].StoreMode" value="@Model.PermissionValues[i].StoreMode" />
@if (Model.PermissionValues[i].StoreMode == ManageController.AddApiKeyViewModel.ApiKeyStoreMode.AllStores) @if (Model.PermissionValues[i].StoreMode == ManageController.AddApiKeyViewModel.ApiKeyStoreMode.AllStores)
{ {
<div class="list-group-item form-group py-3"> <div class="list-group-item form-group py-3">
<div class="form-check"> <div class="form-check">
<input id="@Model.PermissionValues[i].Permission" type="checkbox" asp-for="PermissionValues[i].Value" class="form-check-input ml-n4"/> <input id="@Model.PermissionValues[i].Permission" type="checkbox" asp-for="PermissionValues[i].Value" class="form-check-input ml-n4" />
<label for="@Model.PermissionValues[i].Permission" class="h5 form-check-label mr-2 mb-1">@Model.PermissionValues[i].Title</label> <label for="@Model.PermissionValues[i].Permission" class="h5 form-check-label mr-2 mb-1">@Model.PermissionValues[i].Title</label>
<button type="submit" class="btn btn-link p-0 mb-1" name="command" value="@($"{Model.PermissionValues[i].Permission}:change-store-mode")">Select specific stores</button> <button type="submit" class="btn btn-link p-0 mb-1" name="command" value="@($"{Model.PermissionValues[i].Permission}:change-store-mode")">Select specific stores</button>
<span asp-validation-for="PermissionValues[i].Value" class="text-danger"></span> <span asp-validation-for="PermissionValues[i].Value" class="text-danger"></span>
@@ -90,7 +94,7 @@
{ {
<div class="list-group-item form-group py-3"> <div class="list-group-item form-group py-3">
<div class="form-check"> <div class="form-check">
<input id="@Model.PermissionValues[i].Permission" type="checkbox" asp-for="PermissionValues[i].Value" class="form-check-input ml-n4"/> <input id="@Model.PermissionValues[i].Permission" type="checkbox" asp-for="PermissionValues[i].Value" class="form-check-input ml-n4" />
<label for="@Model.PermissionValues[i].Permission" class="h5 form-check-label mr-2 mb-1">@Model.PermissionValues[i].Title</label> <label for="@Model.PermissionValues[i].Permission" class="h5 form-check-label mr-2 mb-1">@Model.PermissionValues[i].Title</label>
<span asp-validation-for="PermissionValues[i].Value" class="text-danger"></span> <span asp-validation-for="PermissionValues[i].Value" class="text-danger"></span>
<span class="form-text text-muted">@Model.PermissionValues[i].Description</span> <span class="form-text text-muted">@Model.PermissionValues[i].Description</span>