Support Admin being able to view stores (#5782)

* Support Admin being able to view stores * fix null check * Delete obsolete empty view * Add test * Apply CanViewStoreSettings policy changes Taken from #5719 * Fix Selenium tests * Update dashboard permission requirement --------- Co-authored-by: Dennis Reimann <mail@dennisreimann.de>
2025-12-17 22:14:26 +01:00 · 2024-03-14 10:25:40 +01:00
parent f1ff913cbe
commit e497903bf4
49 changed files with 440 additions and 286 deletions
--- a/BTCPayServer/Controllers/UIStoresController.cs
+++ b/BTCPayServer/Controllers/UIStoresController.cs
@@ -12,7 +12,6 @@ using BTCPayServer.Abstractions.Models;
 using BTCPayServer.Client;
 using BTCPayServer.Configuration;
 using BTCPayServer.Data;
-using BTCPayServer.HostedServices;
 using BTCPayServer.HostedServices.Webhooks;
 using BTCPayServer.Models;
 using BTCPayServer.Models.StoreViewModels;
@@ -39,10 +38,9 @@ using StoreData = BTCPayServer.Data.StoreData;

 namespace BTCPayServer.Controllers
 {
-   
    [Route("stores")]
    [Authorize(AuthenticationSchemes = AuthenticationSchemes.Cookie)]
-    [Authorize(Policy = Policies.CanModifyStoreSettings, AuthenticationSchemes = AuthenticationSchemes.Cookie)]
+    [Authorize(Policy = Policies.CanViewStoreSettings, AuthenticationSchemes = AuthenticationSchemes.Cookie)]
    [AutoValidateAntiforgeryToken]
    public partial class UIStoresController : Controller
    {
@@ -145,21 +143,19 @@ namespace BTCPayServer.Controllers
            if (string.IsNullOrEmpty(userId))
                return Forbid();
            
-            var store = await _Repo.FindStore(storeId, userId);
+            var store = await _Repo.FindStore(storeId);
            if (store is null)
-            {
-                return Forbid();
-            }
-            HttpContext.SetStoreData(store);
-            if (store.GetPermissionSet(userId).Contains(Policies.CanModifyStoreSettings, storeId))
+                return NotFound();
+
+            if ((await _authorizationService.AuthorizeAsync(User, Policies.CanModifyStoreSettings)).Succeeded)
            {
                return RedirectToAction("Dashboard", new { storeId });
            }
-            if (store.GetPermissionSet(userId).Contains(Policies.CanViewInvoices, storeId))
+            if ((await _authorizationService.AuthorizeAsync(User, Policies.CanViewInvoices)).Succeeded)
            {
                return RedirectToAction("ListInvoices", "UIInvoice", new { storeId });
            }
-            return View();
+            return Forbid();
        }

        [HttpGet("{storeId}/users")]
@@ -182,9 +178,10 @@ namespace BTCPayServer.Controllers
            }).ToList();
        }

-        public StoreData CurrentStore => HttpContext.GetStoreData();
+        public StoreData? CurrentStore => HttpContext.GetStoreData();

        [HttpPost("{storeId}/users")]
+        [Authorize(Policy = Policies.CanModifyStoreSettings, AuthenticationSchemes = AuthenticationSchemes.Cookie)]
        public async Task<IActionResult> StoreUsers(string storeId, StoreUsersViewModel vm)
        {
            await FillUsers(vm);
@@ -217,6 +214,7 @@ namespace BTCPayServer.Controllers
        }

        [HttpGet("{storeId}/users/{userId}/delete")]
+        [Authorize(Policy = Policies.CanModifyStoreSettings, AuthenticationSchemes = AuthenticationSchemes.Cookie)]
        public async Task<IActionResult> DeleteStoreUser(string userId)
        {
            var user = await _UserManager.FindByIdAsync(userId);
@@ -226,6 +224,7 @@ namespace BTCPayServer.Controllers
        }

        [HttpPost("{storeId}/users/{userId}/delete")]
+        [Authorize(Policy = Policies.CanModifyStoreSettings, AuthenticationSchemes = AuthenticationSchemes.Cookie)]
        public async Task<IActionResult> DeleteStoreUserPost(string storeId, string userId)
        {
            if (await _Repo.RemoveStoreUser(storeId, userId))
@@ -255,6 +254,7 @@ namespace BTCPayServer.Controllers
        }

        [HttpPost("{storeId}/rates")]
+        [Authorize(Policy = Policies.CanModifyStoreSettings, AuthenticationSchemes = AuthenticationSchemes.Cookie)]
        public async Task<IActionResult> Rates(RatesViewModel model, string? command = null, string? storeId = null, CancellationToken cancellationToken = default)
        {
            if (command == "scripting-on")
@@ -373,6 +373,7 @@ namespace BTCPayServer.Controllers
        }

        [HttpGet("{storeId}/rates/confirm")]
+        [Authorize(Policy = Policies.CanModifyStoreSettings, AuthenticationSchemes = AuthenticationSchemes.Cookie)]
        public IActionResult ShowRateRules(bool scripting)
        {
            return View("Confirm", new ConfirmModel
@@ -387,6 +388,7 @@ namespace BTCPayServer.Controllers
        }

        [HttpPost("{storeId}/rates/confirm")]
+        [Authorize(Policy = Policies.CanModifyStoreSettings, AuthenticationSchemes = AuthenticationSchemes.Cookie)]
        public async Task<IActionResult> ShowRateRulesPost(bool scripting)
        {
            var blob = CurrentStore.GetStoreBlob();
@@ -487,6 +489,7 @@ namespace BTCPayServer.Controllers
        }

        [HttpPost("{storeId}/checkout")]
+        [Authorize(Policy = Policies.CanModifyStoreSettings, AuthenticationSchemes = AuthenticationSchemes.Cookie)]
        public async Task<IActionResult> CheckoutAppearance(CheckoutAppearanceViewModel model, [FromForm] bool RemoveSoundFile = false)
        {
            bool needUpdate = false;
@@ -723,6 +726,7 @@ namespace BTCPayServer.Controllers
        }

        [HttpPost("{storeId}/settings")]
+        [Authorize(Policy = Policies.CanModifyStoreSettings, AuthenticationSchemes = AuthenticationSchemes.Cookie)]
        public async Task<IActionResult> GeneralSettings(
            GeneralSettingsViewModel model,
            [FromForm] bool RemoveLogoFile = false,
@@ -863,7 +867,7 @@ namespace BTCPayServer.Controllers
        }

        [HttpPost("{storeId}/archive")]
-        [Authorize(AuthenticationSchemes = AuthenticationSchemes.Cookie, Policy = Policies.CanModifyStoreSettings)]
+        [Authorize(Policy = Policies.CanModifyStoreSettings, AuthenticationSchemes = AuthenticationSchemes.Cookie)]
        public async Task<IActionResult> ToggleArchive(string storeId)
        {
            CurrentStore.Archived = !CurrentStore.Archived;
@@ -880,12 +884,14 @@ namespace BTCPayServer.Controllers
        }

        [HttpGet("{storeId}/delete")]
+        [Authorize(Policy = Policies.CanModifyStoreSettings, AuthenticationSchemes = AuthenticationSchemes.Cookie)]
        public IActionResult DeleteStore(string storeId)
        {
            return View("Confirm", new ConfirmModel("Delete store", "The store will be permanently deleted. This action will also delete all invoices, apps and data associated with the store. Are you sure?", "Delete"));
        }

        [HttpPost("{storeId}/delete")]
+        [Authorize(Policy = Policies.CanModifyStoreSettings, AuthenticationSchemes = AuthenticationSchemes.Cookie)]
        public async Task<IActionResult> DeleteStorePost(string storeId)
        {
            await _Repo.DeleteStore(CurrentStore.Id);
@@ -945,6 +951,7 @@ namespace BTCPayServer.Controllers
        }

        [HttpGet("{storeId}/tokens/{tokenId}/revoke")]
+        [Authorize(Policy = Policies.CanModifyStoreSettings, AuthenticationSchemes = AuthenticationSchemes.Cookie)]
        public async Task<IActionResult> RevokeToken(string tokenId)
        {
            var token = await _TokenRepository.GetToken(tokenId);
@@ -954,6 +961,7 @@ namespace BTCPayServer.Controllers
        }

        [HttpPost("{storeId}/tokens/{tokenId}/revoke")]
+        [Authorize(Policy = Policies.CanModifyStoreSettings, AuthenticationSchemes = AuthenticationSchemes.Cookie)]
        public async Task<IActionResult> RevokeTokenConfirm(string tokenId)
        {
            var token = await _TokenRepository.GetToken(tokenId);
@@ -967,6 +975,7 @@ namespace BTCPayServer.Controllers
        }

        [HttpGet("{storeId}/tokens/{tokenId}")]
+        [Authorize(Policy = Policies.CanModifyStoreSettings, AuthenticationSchemes = AuthenticationSchemes.Cookie)]
        public async Task<IActionResult> ShowToken(string tokenId)
        {
            var token = await _TokenRepository.GetToken(tokenId);
@@ -976,6 +985,7 @@ namespace BTCPayServer.Controllers
        }

        [HttpGet("{storeId}/tokens/create")]
+        [Authorize(Policy = Policies.CanModifyStoreSettings, AuthenticationSchemes = AuthenticationSchemes.Cookie)]
        public IActionResult CreateToken(string storeId)
        {
            var model = new CreateTokenViewModel();
@@ -987,6 +997,7 @@ namespace BTCPayServer.Controllers
        }

        [HttpPost("{storeId}/tokens/create")]
+        [Authorize(Policy = Policies.CanModifyStoreSettings, AuthenticationSchemes = AuthenticationSchemes.Cookie)]
        public async Task<IActionResult> CreateToken(string storeId, CreateTokenViewModel model)
        {
            if (!ModelState.IsValid)
@@ -1065,6 +1076,7 @@ namespace BTCPayServer.Controllers
        }

        [HttpPost("{storeId}/tokens/apikey")]
+        [Authorize(Policy = Policies.CanModifyStoreSettings, AuthenticationSchemes = AuthenticationSchemes.Cookie)]
        public async Task<IActionResult> GenerateAPIKey(string storeId, string command = "")
        {
            var store = HttpContext.GetStoreData();
@@ -1129,6 +1141,7 @@ namespace BTCPayServer.Controllers
        }

        [HttpPost("/api-access-request")]
+        [Authorize(Policy = Policies.CanModifyStoreSettings, AuthenticationSchemes = AuthenticationSchemes.Cookie)]
        public async Task<IActionResult> Pair(string pairingCode, string storeId)
        {
            if (pairingCode == null)