Fix: Create store could be called with a scoped store's modify apikey (#1696)

2025-12-17 22:14:26 +01:00 · 2020-06-27 15:34:03 +09:00
parent d0188f42b7
commit dbb2924ccc
7 changed files with 112 additions and 53 deletions
--- a/BTCPayServer/Controllers/GreenField/StoresController.cs
+++ b/BTCPayServer/Controllers/GreenField/StoresController.cs
@@ -65,7 +65,7 @@ namespace BTCPayServer.Controllers.GreenField
        }
        
        [HttpPost("~/api/v1/stores")]
-        [Authorize(Policy = Policies.CanModifyStoreSettings, AuthenticationSchemes = AuthenticationSchemes.Greenfield)]
+        [Authorize(Policy = Policies.CanModifyStoreSettingsUnscoped, AuthenticationSchemes = AuthenticationSchemes.Greenfield)]
        public async Task<IActionResult> CreateStore(CreateStoreRequest request)
        {
            var validationResult = Validate(request);