diff --git a/BTCPayServer/Controllers/GreenField/GreenfieldInvoiceController.cs b/BTCPayServer/Controllers/GreenField/GreenfieldInvoiceController.cs index 50a8c11ac..765cc6d88 100644 --- a/BTCPayServer/Controllers/GreenField/GreenfieldInvoiceController.cs +++ b/BTCPayServer/Controllers/GreenField/GreenfieldInvoiceController.cs @@ -41,6 +41,7 @@ namespace BTCPayServer.Controllers.Greenfield private readonly RateFetcher _rateProvider; private readonly InvoiceActivator _invoiceActivator; private readonly ApplicationDbContextFactory _dbContextFactory; + private readonly IAuthorizationService _authorizationService; public LanguageService LanguageService { get; } @@ -48,7 +49,9 @@ namespace BTCPayServer.Controllers.Greenfield LinkGenerator linkGenerator, LanguageService languageService, BTCPayNetworkProvider btcPayNetworkProvider, CurrencyNameTable currencyNameTable, RateFetcher rateProvider, InvoiceActivator invoiceActivator, - PullPaymentHostedService pullPaymentService, ApplicationDbContextFactory dbContextFactory) + PullPaymentHostedService pullPaymentService, + ApplicationDbContextFactory dbContextFactory, + IAuthorizationService authorizationService) { _invoiceController = invoiceController; _invoiceRepository = invoiceRepository; @@ -59,6 +62,7 @@ namespace BTCPayServer.Controllers.Greenfield _invoiceActivator = invoiceActivator; _pullPaymentService = pullPaymentService; _dbContextFactory = dbContextFactory; + _authorizationService = authorizationService; LanguageService = languageService; } @@ -350,7 +354,7 @@ namespace BTCPayServer.Controllers.Greenfield return this.CreateValidationError(ModelState); } - [Authorize(Policy = Policies.CanModifyStoreSettings, + [Authorize(Policy = Policies.CanCreateNonApprovedPullPayments, AuthenticationSchemes = AuthenticationSchemes.Greenfield)] [HttpPost("~/api/v1/stores/{storeId}/invoices/{invoiceId}/refund")] public async Task RefundInvoice( @@ -512,6 +516,7 @@ namespace BTCPayServer.Controllers.Greenfield createPullPayment.Amount = Math.Round(createPullPayment.Amount - reduceByAmount, appliedDivisibility); } + createPullPayment.AutoApproveClaims = createPullPayment.AutoApproveClaims && (await _authorizationService.AuthorizeAsync(User, createPullPayment.StoreId ,Policies.CanCreatePullPayments)).Succeeded; var ppId = await _pullPaymentService.CreatePullPayment(createPullPayment); await using var ctx = _dbContextFactory.CreateContext(); diff --git a/BTCPayServer/Controllers/UIStorePullPaymentsController.PullPayments.cs b/BTCPayServer/Controllers/UIStorePullPaymentsController.PullPayments.cs index b2f9f8498..2e3cf8812 100644 --- a/BTCPayServer/Controllers/UIStorePullPaymentsController.PullPayments.cs +++ b/BTCPayServer/Controllers/UIStorePullPaymentsController.PullPayments.cs @@ -138,11 +138,8 @@ namespace BTCPayServer.Controllers } if (!ModelState.IsValid) return View(model); - if (model.AutoApproveClaims) - { - model.AutoApproveClaims = (await - _authorizationService.AuthorizeAsync(User, storeId, Policies.CanCreatePullPayments)).Succeeded; - } + model.AutoApproveClaims = model.AutoApproveClaims && (await + _authorizationService.AuthorizeAsync(User, storeId, Policies.CanCreatePullPayments)).Succeeded; await _pullPaymentService.CreatePullPayment(new HostedServices.CreatePullPayment() { Name = model.Name, diff --git a/BTCPayServer/wwwroot/swagger/v1/swagger.template.invoices.json b/BTCPayServer/wwwroot/swagger/v1/swagger.template.invoices.json index 04558e4f3..2168abdf4 100644 --- a/BTCPayServer/wwwroot/swagger/v1/swagger.template.invoices.json +++ b/BTCPayServer/wwwroot/swagger/v1/swagger.template.invoices.json @@ -770,7 +770,7 @@ "security": [ { "API_Key": [ - "btcpay.store.canmodifystoresettings" + "btcpay.store.cancreatepullpayments" ], "Basic": [] }