aljaz/btcpayserver
1
0
Fork 0
mirror of https://github.com/aljazceru/btcpayserver.git synced 2025-12-18 14:34:23 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix: Create store could be called with a scoped store's modify apikey (#1696)

Browse Source
This commit is contained in:
Nicolas Dorier
2020-06-27 15:34:03 +09:00
committed by GitHub
parent d0188f42b7
commit dbb2924ccc
7 changed files with 112 additions and 53 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
BTCPayServer/Security/GreenField/APIKeyExtensions.cs
View File

@@ -46,14 +46,19 @@ namespace BTCPayServer.Security.GreenField
c.Type.Equals(GreenFieldConstants.ClaimTypes.Permission, StringComparison.InvariantCultureIgnoreCase))
.Select(claim => claim.Value).ToArray();
}
public static bool HasPermission(this AuthorizationHandlerContext context, Permission permission)
{
return HasPermission(context, permission, false);
}
public static bool HasPermission(this AuthorizationHandlerContext context, Permission permission, bool requireUnscoped)
{
foreach (var claim in context.User.Claims.Where(c =>
c.Type.Equals(GreenFieldConstants.ClaimTypes.Permission, StringComparison.InvariantCultureIgnoreCase)))
{
if (Permission.TryParse(claim.Value, out var claimPermission))
{
if (requireUnscoped && claimPermission.Scope is string)
continue;
if (claimPermission.Contains(permission))
{
return true;