aljaz/btcpayserver
1
0
Fork 0
mirror of https://github.com/aljazceru/btcpayserver.git synced 2025-12-17 22:14:26 +01:00
Code Issues Packages Projects Releases Wiki Activity

CookieAuthHandler shouldn't set store context if appId/payReqId/invoiceId is not found

Browse Source
This commit is contained in:
nicolas.dorier
2022-01-07 17:34:06 +09:00
parent fa84e34def
commit b71a04943b
2 changed files with 15 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
BTCPayServer.Tests/Extensions.cs
View File

@@ -28,10 +28,13 @@ namespace BTCPayServer.Tests
public static void AssertNoError(this IWebDriver driver) public static void AssertNoError(this IWebDriver driver)
{ {
if (!driver.PageSource.Contains("alert-danger")) if (driver.PageSource.Contains("alert-danger"))
return; {
foreach (var dangerAlert in driver.FindElements(By.ClassName("alert-danger"))) foreach (var dangerAlert in driver.FindElements(By.ClassName("alert-danger")))
Assert.False(dangerAlert.Displayed, $"No alert should be displayed, but found this on {driver.Url}: {dangerAlert.Text}"); Assert.False(dangerAlert.Displayed, $"No alert should be displayed, but found this on {driver.Url}: {dangerAlert.Text}");
}
Assert.DoesNotContain("Access denied</h", driver.PageSource);
Assert.DoesNotContain("Page not found</h", driver.PageSource);
} }
public static T AssertViewModel<T>(this IActionResult result) public static T AssertViewModel<T>(this IActionResult result)

17
BTCPayServer/Security/CookieAuthorizationHandler.cs
View File

@@ -68,13 +68,12 @@ namespace BTCPayServer.Security
if (routeData != null) if (routeData != null)
{ {
// resolve from app // resolve from app
if (routeData.Values.TryGetValue("appId", out var vAppId)) if (routeData.Values.TryGetValue("appId", out var vAppId) && vAppId is string appId)
{ {
string appId = vAppId as string;
app = await _appService.GetAppDataIfOwner(userId, appId); app = await _appService.GetAppDataIfOwner(userId, appId);
if (storeId == null) if (storeId == null)
{ {
storeId = app?.StoreDataId; storeId = app?.StoreDataId ?? String.Empty;
} }
else if (app?.StoreDataId != storeId) else if (app?.StoreDataId != storeId)
{ {
@@ -82,13 +81,12 @@ namespace BTCPayServer.Security
} }
} }
// resolve from payment request // resolve from payment request
if (routeData.Values.TryGetValue("payReqId", out var vPayReqId)) if (routeData.Values.TryGetValue("payReqId", out var vPayReqId) && vPayReqId is string payReqId)
{ {
string payReqId = vPayReqId as string;
paymentRequest = await _paymentRequestRepository.FindPaymentRequest(payReqId, userId); paymentRequest = await _paymentRequestRepository.FindPaymentRequest(payReqId, userId);
if (storeId == null) if (storeId == null)
{ {
storeId = paymentRequest?.StoreDataId; storeId = paymentRequest?.StoreDataId ?? String.Empty;
} }
else if (paymentRequest?.StoreDataId != storeId) else if (paymentRequest?.StoreDataId != storeId)
{ {
@@ -96,13 +94,12 @@ namespace BTCPayServer.Security
} }
} }
// resolve from invoice // resolve from invoice
if (routeData.Values.TryGetValue("invoiceId", out var vInvoiceId)) if (routeData.Values.TryGetValue("invoiceId", out var vInvoiceId) && vInvoiceId is string invoiceId)
{ {
string invoiceId = vInvoiceId as string;
invoice = await _invoiceRepository.GetInvoice(invoiceId); invoice = await _invoiceRepository.GetInvoice(invoiceId);
if (storeId == null) if (storeId == null)
{ {
storeId = invoice?.StoreId; storeId = invoice?.StoreId ?? String.Empty;
} }
else if (invoice?.StoreId != storeId) else if (invoice?.StoreId != storeId)
{ {
@@ -117,6 +114,8 @@ namespace BTCPayServer.Security
storeId = _httpContext.GetUserPrefsCookie()?.CurrentStoreId; storeId = _httpContext.GetUserPrefsCookie()?.CurrentStoreId;
} }
if (string.IsNullOrEmpty(storeId))
storeId = null;
if (storeId != null) if (storeId != null)
{ {
store = await _storeRepository.FindStore(storeId, userId); store = await _storeRepository.FindStore(storeId, userId);