enhance fine grain permissions (#5502)

Co-authored-by: d11n <mail@dennisreimann.de>
2025-12-18 06:24:24 +01:00 · 2023-12-01 09:12:02 +01:00
parent 2c94a87be4
commit 605741182d
22 changed files with 167 additions and 71 deletions
--- a/BTCPayServer/Controllers/UIPaymentRequestController.cs
+++ b/BTCPayServer/Controllers/UIPaymentRequestController.cs
@@ -71,8 +71,9 @@ namespace BTCPayServer.Controllers
            FormDataService = formDataService;
        }

-        [BitpayAPIConstraint(false)]
+        
        [HttpGet("/stores/{storeId}/payment-requests")]
+        [Authorize(Policy = Policies.CanViewPaymentRequests, AuthenticationSchemes = AuthenticationSchemes.Cookie)]
        public async Task<IActionResult> GetPaymentRequests(string storeId, ListPaymentRequestsViewModel model = null)
        {
            model = this.ParseListQuery(model ?? new ListPaymentRequestsViewModel());
@@ -105,6 +106,7 @@ namespace BTCPayServer.Controllers
        }

        [HttpGet("/stores/{storeId}/payment-requests/edit/{payReqId?}")]
+        [Authorize(Policy = Policies.CanViewPaymentRequests, AuthenticationSchemes = AuthenticationSchemes.Cookie)]
        public async Task<IActionResult> EditPaymentRequest(string storeId, string payReqId)
        {
            var store = GetCurrentStore();
@@ -127,6 +129,7 @@ namespace BTCPayServer.Controllers
        }

        [HttpPost("/stores/{storeId}/payment-requests/edit/{payReqId?}")]
+        [Authorize(Policy = Policies.CanModifyPaymentRequests, AuthenticationSchemes = AuthenticationSchemes.Cookie)]
        public async Task<IActionResult> EditPaymentRequest(string payReqId, UpdatePaymentRequestViewModel viewModel)
        {
            if (!string.IsNullOrEmpty(viewModel.Currency) &&
@@ -386,6 +389,7 @@ namespace BTCPayServer.Controllers
        }

        [HttpGet("{payReqId}/clone")]
+        [Authorize(Policy = Policies.CanModifyPaymentRequests, AuthenticationSchemes = AuthenticationSchemes.Cookie)]
        public async Task<IActionResult> ClonePaymentRequest(string payReqId)
        {
            var store = GetCurrentStore();
@@ -405,6 +409,7 @@ namespace BTCPayServer.Controllers
        }

        [HttpGet("{payReqId}/archive")]
+        [Authorize(Policy = Policies.CanModifyPaymentRequests, AuthenticationSchemes = AuthenticationSchemes.Cookie)]
        public async Task<IActionResult> TogglePaymentRequestArchival(string payReqId)
        {
            var store = GetCurrentStore();