aljaz/btcpayserver
1
0
Fork 0
mirror of https://github.com/aljazceru/btcpayserver.git synced 2025-12-17 14:04:26 +01:00
Code Issues Packages Projects Releases Wiki Activity

Introduce Spam protection

Browse Source 
fixes #1958

Adds 2 new options:
* Do not allow stores to use the email settings of the server. Instead, they would need to fill in the email settings in their own store
* Do not allow user creation through the API unless you are an admin.

Both are opt-in and turned off by default.
This commit is contained in:
Kukks
2020-12-04 08:08:05 +01:00
parent ba027de3f7
commit c17b8e4d9e
4 changed files with 35 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
BTCPayServer/Controllers/GreenField/UsersController.cs
View File

@@ -8,6 +8,7 @@ using BTCPayServer.Client.Models;
using BTCPayServer.Configuration;
using BTCPayServer.Data;
using BTCPayServer.Events;
using BTCPayServer.HostedServices;
using BTCPayServer.Logging;
using BTCPayServer.Security;
using BTCPayServer.Security.GreenField;
@@ -35,6 +36,7 @@ namespace BTCPayServer.Controllers.GreenField
private readonly RateLimitService _throttleService;
private readonly BTCPayServerOptions _options;
private readonly IAuthorizationService _authorizationService;
private readonly CssThemeManager _themeManager;
public UsersController(UserManager<ApplicationUser> userManager, BTCPayServerOptions btcPayServerOptions,
RoleManager<IdentityRole> roleManager, SettingsRepository settingsRepository,
@@ -42,7 +44,8 @@ namespace BTCPayServer.Controllers.GreenField
IPasswordValidator<ApplicationUser> passwordValidator,
RateLimitService throttleService,
BTCPayServerOptions options,
IAuthorizationService authorizationService)
IAuthorizationService authorizationService,
CssThemeManager themeManager)
{
_userManager = userManager;
_btcPayServerOptions = btcPayServerOptions;
@@ -53,6 +56,7 @@ namespace BTCPayServer.Controllers.GreenField
_throttleService = throttleService;
_options = options;
_authorizationService = authorizationService;
_themeManager = themeManager;
}
[Authorize(Policy = Policies.CanViewProfile, AuthenticationSchemes = AuthenticationSchemes.Greenfield)]
@@ -100,7 +104,7 @@ namespace BTCPayServer.Controllers.GreenField
if (request.IsAdministrator is true && !isAdmin)
return Forbid(AuthenticationSchemes.GreenfieldBasic);
if (!isAdmin && policies.LockSubscription)
if (!isAdmin && (policies.LockSubscription || _themeManager.Policies.DisableUnauthenticatedUserApi))
{
// If we are not admin and subscriptions are locked, we need to check the Policies.CanCreateUser.Key permission
var canCreateUser = (await _authorizationService.AuthorizeAsync(User, null, new PolicyRequirement(Policies.CanCreateUser))).Succeeded;