Greenfield: Fix invoice refund permission (#5558)

BTCPayServer/Controllers/GreenField/GreenfieldInvoiceController.cs

@@ -41,6 +41,7 @@ namespace BTCPayServer.Controllers.Greenfield
         private readonly RateFetcher _rateProvider;
         private readonly InvoiceActivator _invoiceActivator;
         private readonly ApplicationDbContextFactory _dbContextFactory;
+        private readonly IAuthorizationService _authorizationService;
 
         public LanguageService LanguageService { get; }
 
@@ -48,7 +49,9 @@ namespace BTCPayServer.Controllers.Greenfield
             LinkGenerator linkGenerator, LanguageService languageService, BTCPayNetworkProvider btcPayNetworkProvider,
             CurrencyNameTable currencyNameTable, RateFetcher rateProvider,
             InvoiceActivator invoiceActivator,
-            PullPaymentHostedService pullPaymentService, ApplicationDbContextFactory dbContextFactory)
+            PullPaymentHostedService pullPaymentService, 
+            ApplicationDbContextFactory dbContextFactory, 
+            IAuthorizationService authorizationService)
         {
             _invoiceController = invoiceController;
             _invoiceRepository = invoiceRepository;
@@ -59,6 +62,7 @@ namespace BTCPayServer.Controllers.Greenfield
             _invoiceActivator = invoiceActivator;
             _pullPaymentService = pullPaymentService;
             _dbContextFactory = dbContextFactory;
+            _authorizationService = authorizationService;
             LanguageService = languageService;
         }
 
@@ -350,7 +354,7 @@ namespace BTCPayServer.Controllers.Greenfield
             return this.CreateValidationError(ModelState);
         }
 
-        [Authorize(Policy = Policies.CanModifyStoreSettings,
+        [Authorize(Policy = Policies.CanCreateNonApprovedPullPayments,
             AuthenticationSchemes = AuthenticationSchemes.Greenfield)]
         [HttpPost("~/api/v1/stores/{storeId}/invoices/{invoiceId}/refund")]
         public async Task<IActionResult> RefundInvoice(
@@ -512,6 +516,7 @@ namespace BTCPayServer.Controllers.Greenfield
                 createPullPayment.Amount = Math.Round(createPullPayment.Amount - reduceByAmount, appliedDivisibility);
             }
 
+            createPullPayment.AutoApproveClaims = createPullPayment.AutoApproveClaims && (await _authorizationService.AuthorizeAsync(User, createPullPayment.StoreId ,Policies.CanCreatePullPayments)).Succeeded;
             var ppId = await _pullPaymentService.CreatePullPayment(createPullPayment);
 
             await using var ctx = _dbContextFactory.CreateContext();

BTCPayServer/Controllers/UIStorePullPaymentsController.PullPayments.cs

@@ -138,11 +138,8 @@ namespace BTCPayServer.Controllers
             }
             if (!ModelState.IsValid)
                 return View(model);
-            if (model.AutoApproveClaims)
+            model.AutoApproveClaims = model.AutoApproveClaims &&  (await
-            {
-                model.AutoApproveClaims = (await
                 _authorizationService.AuthorizeAsync(User, storeId, Policies.CanCreatePullPayments)).Succeeded;
-            }
             await _pullPaymentService.CreatePullPayment(new HostedServices.CreatePullPayment()
             {
                 Name = model.Name,

BTCPayServer/wwwroot/swagger/v1/swagger.template.invoices.json

@@ -770,7 +770,7 @@
                 "security": [
                     {
                         "API_Key": [
-                            "btcpay.store.canmodifystoresettings"
+                            "btcpay.store.cancreatepullpayments"
                         ],
                         "Basic": []
                     }