Fix bug: When creating API Key for non-admin, some checked permissions were not included (Fix #2107 and Fix #2002)

2025-01-19 05:33:31 +01:00 · 2020-12-08 15:20:59 +09:00 · 2020-12-08 15:20:59 +09:00 · 13f10657b8
commit 13f10657b8
parent dd5fd2e5bb
3 changed files with 28 additions and 6 deletions
--- a/BTCPayServer.Tests/ApiKeysTests.cs
+++ b/BTCPayServer.Tests/ApiKeysTests.cs
@ -173,6 +173,24 @@ namespace BTCPayServer.Tests
                
                s.Driver.Navigate().GoToUrl(authUrl);
                Assert.False(s.Driver.Url.StartsWith("https://international.com/callback"));
+
+                // Make sure we can check all permissions when not an admin
+                await user.MakeAdmin(false);
+                s.Logout();
+                s.GoToLogin();
+                s.Login(user.RegisterDetails.Email, user.RegisterDetails.Password);
+                s.GoToProfile(ManageNavPages.APIKeys);
+                s.Driver.FindElement(By.Id("AddApiKey")).Click();
+                int checkedPermissionCount = 0;
+                foreach (var checkbox in s.Driver.FindElements(By.ClassName("form-check-input")))
+                {
+                    checkedPermissionCount++;
+                    checkbox.Click();
+                }
+                s.Driver.FindElement(By.Id("Generate")).Click();
+                var allAPIKey = s.AssertHappyMessage().FindElement(By.TagName("code")).Text;
+                var apikeydata = await TestApiAgainstAccessToken<ApiKeyData>(allAPIKey, $"api/v1/api-keys/current", tester.PayTester.HttpClient);
+                Assert.Equal(checkedPermissionCount, apikeydata.Permissions.Length);
            }
        }

--- a/BTCPayServer/Controllers/ManageController.APIKeys.cs
+++ b/BTCPayServer/Controllers/ManageController.APIKeys.cs
@ -437,7 +437,7 @@ namespace BTCPayServer.Controllers

            if (!isAdmin)
            {
-                foreach (var p in viewModel.PermissionValues.Where(item => Policies.IsServerPolicy(item.Permission)))
+                foreach (var p in viewModel.PermissionValues.Where(item => item.Permission is null || Policies.IsServerPolicy(item.Permission)))
                {
                    p.Forbidden = true;
                }
--- a/BTCPayServer/Views/Manage/AddApiKey.cshtml
+++ b/BTCPayServer/Views/Manage/AddApiKey.cshtml
@ -26,17 +26,21 @@
    <div class="list-group mb-4">
        @for (int i = 0; i < Model.PermissionValues.Count; i++)
        {
-            @if (!Model.PermissionValues[i].Forbidden)
+            @if (Model.PermissionValues[i].Forbidden)
            {
-                <input type="hidden" asp-for="PermissionValues[i].Permission"/>
+                <input type="hidden" asp-for="PermissionValues[i].Value" value="false" />
+            }
+            else
+            {
+                <input type="hidden" asp-for="PermissionValues[i].Permission" />
                @if (Policies.IsStorePolicy(Model.PermissionValues[i].Permission))
                {
-                    <input type="hidden"  asp-for="PermissionValues[i].StoreMode" value="@Model.PermissionValues[i].StoreMode"/>
+                    <input type="hidden" asp-for="PermissionValues[i].StoreMode" value="@Model.PermissionValues[i].StoreMode" />
                    @if (Model.PermissionValues[i].StoreMode == ManageController.AddApiKeyViewModel.ApiKeyStoreMode.AllStores)
                    {
                        <div class="list-group-item form-group py-3">
                            <div class="form-check">
-                                <input id="@Model.PermissionValues[i].Permission" type="checkbox" asp-for="PermissionValues[i].Value" class="form-check-input ml-n4"/>
+                                <input id="@Model.PermissionValues[i].Permission" type="checkbox" asp-for="PermissionValues[i].Value" class="form-check-input ml-n4" />
                                <label for="@Model.PermissionValues[i].Permission" class="h5 form-check-label mr-2 mb-1">@Model.PermissionValues[i].Title</label>
                                <button type="submit" class="btn btn-link p-0 mb-1" name="command" value="@($"{Model.PermissionValues[i].Permission}:change-store-mode")">Select specific stores</button>
                                <span asp-validation-for="PermissionValues[i].Value" class="text-danger"></span>
@ -90,7 +94,7 @@
                {
                    <div class="list-group-item form-group py-3">
                        <div class="form-check">
-                            <input id="@Model.PermissionValues[i].Permission" type="checkbox" asp-for="PermissionValues[i].Value" class="form-check-input ml-n4"/>
+                            <input id="@Model.PermissionValues[i].Permission" type="checkbox" asp-for="PermissionValues[i].Value" class="form-check-input ml-n4" />
                            <label for="@Model.PermissionValues[i].Permission" class="h5 form-check-label mr-2 mb-1">@Model.PermissionValues[i].Title</label>
                            <span asp-validation-for="PermissionValues[i].Value" class="text-danger"></span>
                            <span class="form-text text-muted">@Model.PermissionValues[i].Description</span>