mirrors/btcpayserver
1
0
Fork 0
mirror of https://github.com/btcpayserver/btcpayserver.git synced 2025-01-18 21:32:27 +01:00
Code Issues Packages Projects Releases Wiki Activity

CookieAuthHandler shouldn't set store context if appId/payReqId/invoiceId is not found

Browse Source
This commit is contained in:
nicolas.dorier 2022-01-07 17:34:06 +09:00
parent fa84e34def
commit b71a04943b
No known key found for this signature in database
GPG Key ID: 6618763EF09186FE
2 changed files with 15 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
BTCPayServer.Tests/Extensions.cs
View File

@ -28,10 +28,13 @@ namespace BTCPayServer.Tests
public static void AssertNoError(this IWebDriver driver)
{
if (!driver.PageSource.Contains("alert-danger"))
return;
foreach (var dangerAlert in driver.FindElements(By.ClassName("alert-danger")))
Assert.False(dangerAlert.Displayed, $"No alert should be displayed, but found this on {driver.Url}: {dangerAlert.Text}");
if (driver.PageSource.Contains("alert-danger"))
{
foreach (var dangerAlert in driver.FindElements(By.ClassName("alert-danger")))
Assert.False(dangerAlert.Displayed, $"No alert should be displayed, but found this on {driver.Url}: {dangerAlert.Text}");
}
Assert.DoesNotContain("Access denied</h", driver.PageSource);
Assert.DoesNotContain("Page not found</h", driver.PageSource);
}
public static T AssertViewModel<T>(this IActionResult result)

17
BTCPayServer/Security/CookieAuthorizationHandler.cs
View File

@ -68,13 +68,12 @@ namespace BTCPayServer.Security
if (routeData != null)
{
// resolve from app
if (routeData.Values.TryGetValue("appId", out var vAppId))
if (routeData.Values.TryGetValue("appId", out var vAppId) && vAppId is string appId)
{
string appId = vAppId as string;
app = await _appService.GetAppDataIfOwner(userId, appId);
if (storeId == null)
{
storeId = app?.StoreDataId;
storeId = app?.StoreDataId ?? String.Empty;
}
else if (app?.StoreDataId != storeId)
{
@ -82,13 +81,12 @@ namespace BTCPayServer.Security
}
}
// resolve from payment request
if (routeData.Values.TryGetValue("payReqId", out var vPayReqId))
if (routeData.Values.TryGetValue("payReqId", out var vPayReqId) && vPayReqId is string payReqId)
{
string payReqId = vPayReqId as string;
paymentRequest = await _paymentRequestRepository.FindPaymentRequest(payReqId, userId);
if (storeId == null)
{
storeId = paymentRequest?.StoreDataId;
storeId = paymentRequest?.StoreDataId ?? String.Empty;
}
else if (paymentRequest?.StoreDataId != storeId)
{
@ -96,13 +94,12 @@ namespace BTCPayServer.Security
}
}
// resolve from invoice
if (routeData.Values.TryGetValue("invoiceId", out var vInvoiceId))
if (routeData.Values.TryGetValue("invoiceId", out var vInvoiceId) && vInvoiceId is string invoiceId)
{
string invoiceId = vInvoiceId as string;
invoice = await _invoiceRepository.GetInvoice(invoiceId);
if (storeId == null)
{
storeId = invoice?.StoreId;
storeId = invoice?.StoreId ?? String.Empty;
}
else if (invoice?.StoreId != storeId)
{
@ -117,6 +114,8 @@ namespace BTCPayServer.Security
storeId = _httpContext.GetUserPrefsCookie()?.CurrentStoreId;
}
if (string.IsNullOrEmpty(storeId))
storeId = null;
if (storeId != null)
{
store = await _storeRepository.FindStore(storeId, userId);