Mention the missing API permission in the response of a Greenfield request (#3195)

* Mention the missing API permission in the response header or body * Fixes + Added a unit test. 1 TODO remains. * Added MissingPermissionDescription to the error * Update BTCPayServer.Tests/GreenfieldAPITests.cs Co-authored-by: Nicolas Dorier <nicolas.dorier@gmail.com> * Fix tests * [GreenField]: Make sure we are sending fully typed errors Co-authored-by: Nicolas Dorier <nicolas.dorier@gmail.com>
2025-12-17 22:14:26 +01:00 · 2021-12-16 15:04:06 +01:00
parent 89a52703f6
commit 6de4f6a3ac
13 changed files with 194 additions and 90 deletions
--- a/BTCPayServer/Controllers/GreenField/UsersController.cs
+++ b/BTCPayServer/Controllers/GreenField/UsersController.cs
@@ -102,11 +102,11 @@ namespace BTCPayServer.Controllers.GreenField

            // If registration are locked and that an admin exists, don't accept unauthenticated connection
            if (anyAdmin && policies.LockSubscription && !isAuth)
-                return Unauthorized();
+                return this.CreateAPIError(401, "unauthenticated", "New user creation isn't authorized to users who are not admin");

            // Even if subscription are unlocked, it is forbidden to create admin unauthenticated
            if (anyAdmin && request.IsAdministrator is true && !isAuth)
-                return Forbid(AuthenticationSchemes.GreenfieldBasic);
+                return this.CreateAPIError(401, "unauthenticated", "New admin creation isn't authorized to users who are not admin");
            // You are de-facto admin if there is no other admin, else you need to be auth and pass policy requirements
            bool isAdmin = anyAdmin ? (await _authorizationService.AuthorizeAsync(User, null, new PolicyRequirement(Policies.CanModifyServerSettings))).Succeeded
                                     && (await _authorizationService.AuthorizeAsync(User, null, new PolicyRequirement(Policies.Unrestricted))).Succeeded
@@ -114,14 +114,14 @@ namespace BTCPayServer.Controllers.GreenField
                                    : true;
            // You need to be admin to create an admin
            if (request.IsAdministrator is true && !isAdmin)
-                return Forbid(AuthenticationSchemes.GreenfieldBasic);
+                return this.CreateAPIPermissionError(Policies.Unrestricted, $"Insufficient API Permissions. Please use an API key with permission: {Policies.Unrestricted} and be an admin.");

            if (!isAdmin && (policies.LockSubscription || (await _settingsRepository.GetPolicies()).DisableNonAdminCreateUserApi))
            {
                // If we are not admin and subscriptions are locked, we need to check the Policies.CanCreateUser.Key permission
                var canCreateUser = (await _authorizationService.AuthorizeAsync(User, null, new PolicyRequirement(Policies.CanCreateUser))).Succeeded;
                if (!isAuth || !canCreateUser)
-                    return Forbid(AuthenticationSchemes.GreenfieldBasic);
+                    return this.CreateAPIPermissionError(Policies.CanCreateUser);
            }

            var user = new ApplicationUser