Authorize granular permissions (#1057)

* granular scope permissions for api

* final fixes and styling

* prettify code

* fix missing policy

BTCPayServer/Controllers/RestApi/TestController.cs

@@ -1,4 +1,5 @@
 using System.Threading.Tasks;
+using BTCPayServer.Authentication;
 using BTCPayServer.Data;
 using BTCPayServer.Models;
 using BTCPayServer.Security;
@@ -41,9 +42,10 @@ namespace BTCPayServer.Controllers.RestApi
 
         [HttpGet("me/is-admin")]
         public bool AmIAnAdmin()
-        { 
-            return  User.IsInRole(Roles.ServerAdmin);
+        {
+            return User.IsInRole(Roles.ServerAdmin);
         }
+
         [HttpGet("me/stores")]
         public async Task<StoreData[]> GetCurrentUserStores()
         {
@@ -52,10 +54,63 @@ namespace BTCPayServer.Controllers.RestApi
 
 
         [HttpGet("me/stores/{storeId}/can-edit")]
-        [Authorize(Policy = Policies.CanModifyStoreSettings.Key, AuthenticationSchemes = OpenIddictValidationDefaults.AuthenticationScheme)]
+        [Authorize(Policy = Policies.CanModifyStoreSettings.Key,
+            AuthenticationSchemes = OpenIddictValidationDefaults.AuthenticationScheme)]
         public bool CanEdit(string storeId)
         {
             return true;
         }
+
+
+        #region scopes tests
+
+        [Authorize(Policy = RestAPIPolicies.CanViewStores,
+            AuthenticationSchemes = OpenIddictValidationDefaults.AuthenticationScheme)]
+        [HttpGet(nameof(ScopeCanViewStores))]
+        public bool ScopeCanViewStores() { return true; }
+
+        [Authorize(Policy = RestAPIPolicies.CanManageStores,
+            AuthenticationSchemes = OpenIddictValidationDefaults.AuthenticationScheme)]
+        [HttpGet(nameof(ScopeCanManageStores))]
+        public bool ScopeCanManageStores() { return true; }
+
+        [Authorize(Policy = RestAPIPolicies.CanViewInvoices,
+            AuthenticationSchemes = OpenIddictValidationDefaults.AuthenticationScheme)]
+        [HttpGet(nameof(ScopeCanViewInvoices))]
+        public bool ScopeCanViewInvoices() { return true; }
+
+        [Authorize(Policy = RestAPIPolicies.CanCreateInvoices,
+            AuthenticationSchemes = OpenIddictValidationDefaults.AuthenticationScheme)]
+        [HttpGet(nameof(ScopeCanCreateInvoices))]
+        public bool ScopeCanCreateInvoices() { return true; }
+
+        [Authorize(Policy = RestAPIPolicies.CanManageInvoices,
+            AuthenticationSchemes = OpenIddictValidationDefaults.AuthenticationScheme)]
+        [HttpGet(nameof(ScopeCanManageInvoices))]
+        public bool ScopeCanManageInvoices() { return true; }
+
+        [Authorize(Policy = RestAPIPolicies.CanManageApps,
+            AuthenticationSchemes = OpenIddictValidationDefaults.AuthenticationScheme)]
+        [HttpGet(nameof(ScopeCanManageApps))]
+        public bool ScopeCanManageApps() { return true; }
+
+        [Authorize(Policy = RestAPIPolicies.CanViewApps,
+            AuthenticationSchemes = OpenIddictValidationDefaults.AuthenticationScheme)]
+        
+        [HttpGet(nameof(ScopeCanViewApps))]
+        public bool ScopeCanViewApps() { return true; }
+
+        [Authorize(Policy = RestAPIPolicies.CanManageWallet,
+            AuthenticationSchemes = OpenIddictValidationDefaults.AuthenticationScheme)]
+        [HttpGet(nameof(ScopeCanManageWallet))]
+        public bool ScopeCanManageWallet() { return true; }
+
+        [Authorize(Policy = RestAPIPolicies.CanViewProfile,
+            AuthenticationSchemes = OpenIddictValidationDefaults.AuthenticationScheme)]
+        
+        [HttpGet(nameof(ScopeCanViewProfile))]
+        public bool ScopeCanViewProfile() { return true; }
+
+        #endregion
     }
 }