From 4a66c91cac20c9b0e24ac24657e5ebb66f2d7a96 Mon Sep 17 00:00:00 2001 From: d11n Date: Sun, 26 Dec 2021 04:20:46 +0100 Subject: [PATCH] Fix app permissions (#3227) * Fix app permissions As pointed out by @nicolasdorier [here](https://github.com/btcpayserver/btcpayserver/pull/3205#issuecomment-999437555). * Fix for login codes view * Ensure app belongs to store --- BTCPayServer/Security/CookieAuthorizationHandler.cs | 11 +++++++++-- BTCPayServer/Views/Manage/LoginCodes.cshtml | 2 +- 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/BTCPayServer/Security/CookieAuthorizationHandler.cs b/BTCPayServer/Security/CookieAuthorizationHandler.cs index eba1b6dad..b11e48f56 100644 --- a/BTCPayServer/Security/CookieAuthorizationHandler.cs +++ b/BTCPayServer/Security/CookieAuthorizationHandler.cs @@ -66,8 +66,15 @@ namespace BTCPayServer.Security if (routeData.Values.TryGetValue("appId", out var vAppId)) { string appId = vAppId as string; - app = await _appService.GetApp(appId, null); - storeId ??= app?.StoreDataId; + app = await _appService.GetAppDataIfOwner(userId, appId); + if (storeId == null) + { + storeId = app?.StoreDataId; + } + else if (app?.StoreDataId != storeId) + { + app = null; + } } // resolve from payment request if (routeData.Values.TryGetValue("payReqId", out var vPayReqId)) diff --git a/BTCPayServer/Views/Manage/LoginCodes.cshtml b/BTCPayServer/Views/Manage/LoginCodes.cshtml index 9bca5b208..cf549c191 100644 --- a/BTCPayServer/Views/Manage/LoginCodes.cshtml +++ b/BTCPayServer/Views/Manage/LoginCodes.cshtml @@ -1,6 +1,6 @@ @model string @{ - ViewData.SetActivePageAndTitle(ManageNavPages.LoginCodes, "Login codes"); + ViewData.SetActivePage(ManageNavPages.LoginCodes, "Login codes"); }

@ViewData["Title"]

Easily log into BTCPay Server on another device using a simple login code from an already authenticated device.