Fix app permissions (#3227)

* Fix app permissions As pointed out by @nicolasdorier [here](https://github.com/btcpayserver/btcpayserver/pull/3205#issuecomment-999437555). * Fix for login codes view * Ensure app belongs to store
2025-02-20 13:34:37 +01:00 · 2021-12-26 04:20:46 +01:00 · 2021-12-26 04:20:46 +01:00 · 4a66c91cac
commit 4a66c91cac
parent 48ac996d77
2 changed files with 10 additions and 3 deletions
--- a/BTCPayServer/Security/CookieAuthorizationHandler.cs
+++ b/BTCPayServer/Security/CookieAuthorizationHandler.cs
@ -66,8 +66,15 @@ namespace BTCPayServer.Security
                if (routeData.Values.TryGetValue("appId", out var vAppId))
                {
                    string appId = vAppId as string;
-                    app = await _appService.GetApp(appId, null);
-                    storeId ??= app?.StoreDataId;
+                    app = await _appService.GetAppDataIfOwner(userId, appId);
+                    if (storeId == null)
+                    {
+                        storeId = app?.StoreDataId;
+                    }
+                    else if (app?.StoreDataId != storeId)
+                    {
+                        app = null;
+                    }
                }
                // resolve from payment request
                if (routeData.Values.TryGetValue("payReqId", out var vPayReqId))
--- a/BTCPayServer/Views/Manage/LoginCodes.cshtml
+++ b/BTCPayServer/Views/Manage/LoginCodes.cshtml
@ -1,6 +1,6 @@
@model string
@{
-    ViewData.SetActivePageAndTitle(ManageNavPages.LoginCodes, "Login codes");
+    ViewData.SetActivePage(ManageNavPages.LoginCodes, "Login codes");
 }
 <h2 class="mb-4">@ViewData["Title"]</h2>
 <p>Easily log into BTCPay Server on another device using a simple login code from an already authenticated device.</p>