From 1477630c78dc4dcced40db3ea38c80fa50630b6a Mon Sep 17 00:00:00 2001 From: "nicolas.dorier" Date: Thu, 6 Dec 2018 16:58:04 +0900 Subject: [PATCH] Remove anonymous access to invoice data --- BTCPayServer/Controllers/InvoiceController.API.cs | 10 ++++++---- BTCPayServer/Controllers/InvoiceController.UI.cs | 2 ++ 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/BTCPayServer/Controllers/InvoiceController.API.cs b/BTCPayServer/Controllers/InvoiceController.API.cs index da7bc8524..58c637a9d 100644 --- a/BTCPayServer/Controllers/InvoiceController.API.cs +++ b/BTCPayServer/Controllers/InvoiceController.API.cs @@ -40,16 +40,18 @@ namespace BTCPayServer.Controllers [HttpGet] [Route("invoices/{id}")] - [AllowAnonymous] - public async Task> GetInvoice(string id, string token) + public async Task> GetInvoice(string id) { - var invoice = await _InvoiceRepository.GetInvoice(null, id); + var invoice = (await _InvoiceRepository.GetInvoices(new InvoiceQuery() + { + InvoiceId = id, + StoreId = new[] { HttpContext.GetStoreData().Id } + })).FirstOrDefault(); if (invoice == null) throw new BitpayHttpException(404, "Object not found"); var resp = invoice.EntityToDTO(_NetworkProvider); return new DataWrapper(resp); } - [HttpGet] [Route("invoices")] public async Task> GetInvoices( diff --git a/BTCPayServer/Controllers/InvoiceController.UI.cs b/BTCPayServer/Controllers/InvoiceController.UI.cs index fdc983f87..08eda9572 100644 --- a/BTCPayServer/Controllers/InvoiceController.UI.cs +++ b/BTCPayServer/Controllers/InvoiceController.UI.cs @@ -30,11 +30,13 @@ namespace BTCPayServer.Controllers { [HttpGet] [Route("invoices/{invoiceId}")] + [Authorize(AuthenticationSchemes = Policies.CookieAuthentication)] public async Task Invoice(string invoiceId) { var invoice = (await _InvoiceRepository.GetInvoices(new InvoiceQuery() { InvoiceId = invoiceId, + UserId = GetUserId(), IncludeAddresses = true, IncludeEvents = true })).FirstOrDefault();