From f67fa6a5d61312139be94d2fd30e121320bfdcbb Mon Sep 17 00:00:00 2001
From: Nicolas Dorier <nicolas.dorier@gmail.com>
Date: Thu, 13 Jan 2022 17:42:32 +0900
Subject: [PATCH] Remove right to admins to bypass permissions to modify/view
 invoices or stores (#3297)

---
 BTCPayServer/Security/CookieAuthorizationHandler.cs | 12 +++---------
 1 file changed, 3 insertions(+), 9 deletions(-)

diff --git a/BTCPayServer/Security/CookieAuthorizationHandler.cs b/BTCPayServer/Security/CookieAuthorizationHandler.cs
index b6212f293..efc2ca3f3 100644
--- a/BTCPayServer/Security/CookieAuthorizationHandler.cs
+++ b/BTCPayServer/Security/CookieAuthorizationHandler.cs
@@ -127,20 +127,14 @@ namespace BTCPayServer.Security
                     if (isAdmin)
                         success = true;
                     break;
-                case Policies.CanViewInvoices:
-                    if (store == null || store.Role == StoreRoles.Owner || isAdmin)
-                        success = true;
-                    break;
                 case Policies.CanModifyStoreSettings:
-                    if (store != null && (store.Role == StoreRoles.Owner || isAdmin))
+                    if (store != null && (store.Role == StoreRoles.Owner))
                         success = true;
                     break;
+                case Policies.CanViewInvoices:
                 case Policies.CanViewStoreSettings:
-                    if (store != null || isAdmin)
-                        success = true;
-                    break;
                 case Policies.CanCreateInvoice:
-                    if (store != null || isAdmin)
+                    if (store != null)
                         success = true;
                     break;
                 case Policies.CanViewProfile: