aljaz/btcpayserver
1
0
Fork 0
mirror of https://github.com/aljazceru/btcpayserver.git synced 2025-12-18 14:34:23 +01:00
Code Issues Packages Projects Releases Wiki Activity

permission check for auth

Browse Source
This commit is contained in:
Kukks
2020-08-04 10:03:51 +02:00
parent 7ca74aeea7
commit dbe7f464bd
1 changed files with 38 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

54
BTCPayServer/Controllers/ManageController.APIKeys.cs
View File

@@ -108,7 +108,7 @@ namespace BTCPayServer.Controllers
permissions ??= Array.Empty<string>(); permissions ??= Array.Empty<string>();
var parsedPermissions = Permission.ToPermissions(permissions).GroupBy(permission => permission.Policy); var requestPermissions = Permission.ToPermissions(permissions);
if (!string.IsNullOrEmpty(applicationIdentifier) && redirect != null) if (!string.IsNullOrEmpty(applicationIdentifier) && redirect != null)
{ {
//check if there is an app identifier that matches and belongs to the current user //check if there is an app identifier that matches and belongs to the current user
@@ -128,21 +128,43 @@ namespace BTCPayServer.Controllers
continue; continue;
} }
//matched the identifier and authority, but we need to check if what the app is requesting in terms of permissions is enough //matched the identifier and authority, but we need to check if what the app is requesting in terms of permissions is enough
var alreadyPresentPermissions = Permission.ToPermissions(blob.Permissions); var alreadyPresentPermissions = Permission.ToPermissions(blob.Permissions).GroupBy(permission => permission.Policy);
var fail = false;
foreach (var permission in requestPermissions.GroupBy(permission => permission.Policy))
{
var presentPermission =
alreadyPresentPermissions.SingleOrDefault(grouping => permission.Key == grouping.Key);
if (strict && presentPermission == null)
{
fail = true;
break;
}
if(Policies.IsStorePolicy(permission.Key))
{
if (!selectiveStores && permission.Any(permission1 => !string.IsNullOrEmpty(permission1.Scope)))
{
TempData.SetStatusMessageModel(new StatusMessageModel()
{
Severity = StatusMessageModel.StatusSeverity.Error,
Message = "Cannot request specific store permission when selectiveStores is not enable"
});
return RedirectToAction("APIKeys");
}else if (!selectiveStores && presentPermission.Any(permission1 =>
!string.IsNullOrEmpty(permission1.Scope)))
{
fail = true;
break;
}
}
}
var selectiveStorePermissions = if (fail)
alreadyPresentPermissions.Where(permission => !string.IsNullOrEmpty(permission.Scope)); {
//if application is requesting the store management permission without the selective option but the existing key only has selective stores, skip continue;
if(parsedPermissions) }
if (permissions.Contains(APIKeyConstants.Permissions.StoreManagement) && !selectiveStores && selectiveStorePermissions.Any())
{
continue;
}
if (strict && permissions.Any(s => !blob.Permissions.Contains(s)))
{
continue;
}
//we have a key that is sufficient, redirect to a page to confirm that it's ok to provide this key to the app. //we have a key that is sufficient, redirect to a page to confirm that it's ok to provide this key to the app.
return View("Confirm", return View("Confirm",
new ConfirmModel() new ConfirmModel()
@@ -164,7 +186,7 @@ namespace BTCPayServer.Controllers
ApplicationName = applicationName, ApplicationName = applicationName,
SelectiveStores = selectiveStores, SelectiveStores = selectiveStores,
Strict = strict, Strict = strict,
Permissions = string.Join(';', parsedPermissions.SelectMany(grouping => grouping.Select(permission => permission.ToString()))), Permissions = string.Join(';', requestPermissions),
ApplicationIdentifier = applicationIdentifier ApplicationIdentifier = applicationIdentifier
}); });
AdjustVMForAuthorization(vm); AdjustVMForAuthorization(vm);