From 13f10657b84ef07b6f7a84d0fd6dc54edfa4d20b Mon Sep 17 00:00:00 2001
From: "nicolas.dorier" <nicolas.dorier@gmail.com>
Date: Tue, 8 Dec 2020 15:20:59 +0900
Subject: [PATCH] Fix bug: When creating API Key for non-admin, some checked
 permissions were not included (Fix #2107 and Fix #2002)

---
 BTCPayServer.Tests/ApiKeysTests.cs             | 18 ++++++++++++++++++
 .../Controllers/ManageController.APIKeys.cs    |  2 +-
 BTCPayServer/Views/Manage/AddApiKey.cshtml     | 14 +++++++++-----
 3 files changed, 28 insertions(+), 6 deletions(-)

diff --git a/BTCPayServer.Tests/ApiKeysTests.cs b/BTCPayServer.Tests/ApiKeysTests.cs
index 99d5536c7..043dbaae8 100644
--- a/BTCPayServer.Tests/ApiKeysTests.cs
+++ b/BTCPayServer.Tests/ApiKeysTests.cs
@@ -173,6 +173,24 @@ namespace BTCPayServer.Tests
                 
                 s.Driver.Navigate().GoToUrl(authUrl);
                 Assert.False(s.Driver.Url.StartsWith("https://international.com/callback"));
+
+                // Make sure we can check all permissions when not an admin
+                await user.MakeAdmin(false);
+                s.Logout();
+                s.GoToLogin();
+                s.Login(user.RegisterDetails.Email, user.RegisterDetails.Password);
+                s.GoToProfile(ManageNavPages.APIKeys);
+                s.Driver.FindElement(By.Id("AddApiKey")).Click();
+                int checkedPermissionCount = 0;
+                foreach (var checkbox in s.Driver.FindElements(By.ClassName("form-check-input")))
+                {
+                    checkedPermissionCount++;
+                    checkbox.Click();
+                }
+                s.Driver.FindElement(By.Id("Generate")).Click();
+                var allAPIKey = s.AssertHappyMessage().FindElement(By.TagName("code")).Text;
+                var apikeydata = await TestApiAgainstAccessToken<ApiKeyData>(allAPIKey, $"api/v1/api-keys/current", tester.PayTester.HttpClient);
+                Assert.Equal(checkedPermissionCount, apikeydata.Permissions.Length);
             }
         }
 
diff --git a/BTCPayServer/Controllers/ManageController.APIKeys.cs b/BTCPayServer/Controllers/ManageController.APIKeys.cs
index adafd5c29..83eef29ef 100644
--- a/BTCPayServer/Controllers/ManageController.APIKeys.cs
+++ b/BTCPayServer/Controllers/ManageController.APIKeys.cs
@@ -437,7 +437,7 @@ namespace BTCPayServer.Controllers
 
             if (!isAdmin)
             {
-                foreach (var p in viewModel.PermissionValues.Where(item => Policies.IsServerPolicy(item.Permission)))
+                foreach (var p in viewModel.PermissionValues.Where(item => item.Permission is null || Policies.IsServerPolicy(item.Permission)))
                 {
                     p.Forbidden = true;
                 }
diff --git a/BTCPayServer/Views/Manage/AddApiKey.cshtml b/BTCPayServer/Views/Manage/AddApiKey.cshtml
index 339f15630..fa4c6edcd 100644
--- a/BTCPayServer/Views/Manage/AddApiKey.cshtml
+++ b/BTCPayServer/Views/Manage/AddApiKey.cshtml
@@ -26,17 +26,21 @@
     <div class="list-group mb-4">
         @for (int i = 0; i < Model.PermissionValues.Count; i++)
         {
-            @if (!Model.PermissionValues[i].Forbidden)
+            @if (Model.PermissionValues[i].Forbidden)
             {
-                <input type="hidden" asp-for="PermissionValues[i].Permission"/>
+                <input type="hidden" asp-for="PermissionValues[i].Value" value="false" />
+            }
+            else
+            {
+                <input type="hidden" asp-for="PermissionValues[i].Permission" />
                 @if (Policies.IsStorePolicy(Model.PermissionValues[i].Permission))
                 {
-                    <input type="hidden"  asp-for="PermissionValues[i].StoreMode" value="@Model.PermissionValues[i].StoreMode"/>
+                    <input type="hidden" asp-for="PermissionValues[i].StoreMode" value="@Model.PermissionValues[i].StoreMode" />
                     @if (Model.PermissionValues[i].StoreMode == ManageController.AddApiKeyViewModel.ApiKeyStoreMode.AllStores)
                     {
                         <div class="list-group-item form-group py-3">
                             <div class="form-check">
-                                <input id="@Model.PermissionValues[i].Permission" type="checkbox" asp-for="PermissionValues[i].Value" class="form-check-input ml-n4"/>
+                                <input id="@Model.PermissionValues[i].Permission" type="checkbox" asp-for="PermissionValues[i].Value" class="form-check-input ml-n4" />
                                 <label for="@Model.PermissionValues[i].Permission" class="h5 form-check-label mr-2 mb-1">@Model.PermissionValues[i].Title</label>
                                 <button type="submit" class="btn btn-link p-0 mb-1" name="command" value="@($"{Model.PermissionValues[i].Permission}:change-store-mode")">Select specific stores</button>
                                 <span asp-validation-for="PermissionValues[i].Value" class="text-danger"></span>
@@ -90,7 +94,7 @@
                 {
                     <div class="list-group-item form-group py-3">
                         <div class="form-check">
-                            <input id="@Model.PermissionValues[i].Permission" type="checkbox" asp-for="PermissionValues[i].Value" class="form-check-input ml-n4"/>
+                            <input id="@Model.PermissionValues[i].Permission" type="checkbox" asp-for="PermissionValues[i].Value" class="form-check-input ml-n4" />
                             <label for="@Model.PermissionValues[i].Permission" class="h5 form-check-label mr-2 mb-1">@Model.PermissionValues[i].Title</label>
                             <span asp-validation-for="PermissionValues[i].Value" class="text-danger"></span>
                             <span class="form-text text-muted">@Model.PermissionValues[i].Description</span>