Remove anonymous access to invoice data

2025-12-18 22:44:29 +01:00 · 2018-12-06 16:58:04 +09:00
parent ab670080c7
commit 1477630c78
2 changed files with 8 additions and 4 deletions
--- a/BTCPayServer/Controllers/InvoiceController.UI.cs
+++ b/BTCPayServer/Controllers/InvoiceController.UI.cs
@@ -30,11 +30,13 @@ namespace BTCPayServer.Controllers
    {
        [HttpGet]
        [Route("invoices/{invoiceId}")]
+        [Authorize(AuthenticationSchemes = Policies.CookieAuthentication)]
        public async Task<IActionResult> Invoice(string invoiceId)
        {
            var invoice = (await _InvoiceRepository.GetInvoices(new InvoiceQuery()
            {
                InvoiceId = invoiceId,
+                UserId = GetUserId(),
                IncludeAddresses = true,
                IncludeEvents = true
            })).FirstOrDefault();