Require Owner role to the store for modifying store via Greenfield

2024-11-19 09:54:30 +01:00 · 2020-06-12 18:26:20 +09:00 · 2020-06-12 18:26:20 +09:00 · f40a8853f6
commit f40a8853f6
parent 1889c33d80
3 changed files with 20 additions and 1 deletions
--- a/BTCPayServer.Client/Permissions.cs
+++ b/BTCPayServer.Client/Permissions.cs
@ -49,7 +49,11 @@ namespace BTCPayServer.Client
        {
            return policy.StartsWith("btcpay.store", StringComparison.OrdinalIgnoreCase);
        }
-        
+        public static bool IsStoreModifyPolicy(string policy)
+        {
+            return policy.StartsWith("btcpay.store.canmodify", StringComparison.OrdinalIgnoreCase);
+        }
+
        public static bool IsServerPolicy(string policy)
        {
            return policy.StartsWith("btcpay.server", StringComparison.OrdinalIgnoreCase);
--- a/BTCPayServer.Tests/GreenfieldAPITests.cs
+++ b/BTCPayServer.Tests/GreenfieldAPITests.cs
@ -10,8 +10,10 @@ using BTCPayServer.Controllers;
 using BTCPayServer.Events;
 using BTCPayServer.JsonConverters;
 using BTCPayServer.Services;
+using BTCPayServer.Services.Stores;
 using BTCPayServer.Tests.Logging;
 using Microsoft.AspNetCore.Mvc;
+using Microsoft.EntityFrameworkCore;
 using NBitcoin;
 using NBitpayClient;
 using Newtonsoft.Json;
@ -251,6 +253,14 @@ namespace BTCPayServer.Tests
                var scopedClient =
                    await user.CreateClient(Permission.Create(Policies.CanViewStoreSettings, user.StoreId).ToString());
                Assert.Single(await scopedClient.GetStores());
+
+
+                // We strip the user's Owner right, so the key should not work
+                using var ctx = tester.PayTester.GetService<Data.ApplicationDbContextFactory>().CreateContext();
+                var storeEntity = await ctx.UserStore.SingleAsync(u => u.ApplicationUserId == user.UserId && u.StoreDataId == newStore.Id);
+                storeEntity.Role = "Guest";
+                await ctx.SaveChangesAsync();
+                await AssertHttpError(403, async () => await client.UpdateStore(newStore.Id, new UpdateStoreRequest() { Name = "B" }));
            }
        }

--- a/BTCPayServer/Security/GreenField/GreenFieldAuthorizationHandler.cs
+++ b/BTCPayServer/Security/GreenField/GreenFieldAuthorizationHandler.cs
@ -49,6 +49,11 @@ namespace BTCPayServer.Security.GreenField
                            var store = await _storeRepository.FindStore((string)storeId, userid);
                            if (store == null)
                                break;
+                            if(Policies.IsStoreModifyPolicy(policy))
+                            {
+                                if (store.Role != StoreRoles.Owner)
+                                    break;
+                            }
                            success = true;
                            _HttpContext.SetStoreData(store);
                        }