diff --git a/BTCPayServer.Tests/GreenfieldAPITests.cs b/BTCPayServer.Tests/GreenfieldAPITests.cs index b32e6e828..4f856b63c 100644 --- a/BTCPayServer.Tests/GreenfieldAPITests.cs +++ b/BTCPayServer.Tests/GreenfieldAPITests.cs @@ -102,8 +102,8 @@ namespace BTCPayServer.Tests await AssertHttpError(403, async () => await adminClient.CreateUser(new CreateApplicationUserRequest() { Email = "test4@gmail.com", Password = "afewfoiewiou" })); await AssertHttpError(403, async () => await adminClient.CreateUser(new CreateApplicationUserRequest() { Email = "test4@gmail.com", Password = "afewfoiewiou", IsAdministrator = true })); - // However, should be ok with the server management permissions - adminClient = await adminAcc.CreateClient(Policies.CanModifyServerSettings); + // However, should be ok with the unrestricted permissions of an admin + adminClient = await adminAcc.CreateClient(Policies.Unrestricted); await adminClient.CreateUser(new CreateApplicationUserRequest() { Email = "test4@gmail.com", Password = "afewfoiewiou" }); // Even creating new admin should be ok await adminClient.CreateUser(new CreateApplicationUserRequest() { Email = "admin4@gmail.com", Password = "afewfoiewiou", IsAdministrator = true }); diff --git a/BTCPayServer/Controllers/RestApi/UsersController.cs b/BTCPayServer/Controllers/RestApi/UsersController.cs index 9abefacee..30e57d725 100644 --- a/BTCPayServer/Controllers/RestApi/UsersController.cs +++ b/BTCPayServer/Controllers/RestApi/UsersController.cs @@ -87,7 +87,8 @@ namespace BTCPayServer.Controllers.RestApi if (anyAdmin && request.IsAdministrator is true && !isAuth) return Forbid(AuthenticationSchemes.ApiKey); // You are de-facto admin if there is no other admin, else you need to be auth and pass policy requirements - bool isAdmin = anyAdmin ? (await _authorizationService.AuthorizeAsync(User, null, new PolicyRequirement(Policies.CanModifyServerSettings))).Succeeded + bool isAdmin = anyAdmin ? (await _authorizationService.AuthorizeAsync(User, null, new PolicyRequirement(Policies.CanModifyServerSettings))).Succeeded + && (await _authorizationService.AuthorizeAsync(User, null, new PolicyRequirement(Policies.Unrestricted))).Succeeded && isAuth : true; // You need to be admin to create an admin diff --git a/BTCPayServer/Views/Manage/AuthorizeAPIKey.cshtml b/BTCPayServer/Views/Manage/AuthorizeAPIKey.cshtml index 6a431637c..164c53c3a 100644 --- a/BTCPayServer/Views/Manage/AuthorizeAPIKey.cshtml +++ b/BTCPayServer/Views/Manage/AuthorizeAPIKey.cshtml @@ -7,7 +7,7 @@ Layout = "_Layout"; ViewData["Title"] = $"Authorize {(Model.ApplicationName ?? "Application")}"; var permissions = Permission.ToPermissions(Model.Permissions); - var hasStorePermission = permissions.Any(p => p.Policy == Permission.CanModifyStoreSettings); + var hasStorePermission = permissions.Any(p => p.Policy == Policies.CanModifyStoreSettings); } diff --git a/BTCPayServer/wwwroot/swagger/v1/swagger.template.json b/BTCPayServer/wwwroot/swagger/v1/swagger.template.json index 7157fb603..70e8aa3f1 100644 --- a/BTCPayServer/wwwroot/swagger/v1/swagger.template.json +++ b/BTCPayServer/wwwroot/swagger/v1/swagger.template.json @@ -143,7 +143,7 @@ }, "isAdministrator": { "type": "boolean", - "description": "Make this user administrator (only if your APIKey has ServerManagment permission)", + "description": "Make this user administrator (only if your APIKey has `unrestricted` permission of a server administrator)", "nullable": true, "default": false }