From f40a8853f653b8f1a1aa0e2c7408f1d73ac16fda Mon Sep 17 00:00:00 2001
From: "nicolas.dorier" <nicolas.dorier@gmail.com>
Date: Fri, 12 Jun 2020 18:26:20 +0900
Subject: [PATCH] Require Owner role to the store for modifying store via
 Greenfield

---
 BTCPayServer.Client/Permissions.cs                     |  6 +++++-
 BTCPayServer.Tests/GreenfieldAPITests.cs               | 10 ++++++++++
 .../GreenField/GreenFieldAuthorizationHandler.cs       |  5 +++++
 3 files changed, 20 insertions(+), 1 deletion(-)

diff --git a/BTCPayServer.Client/Permissions.cs b/BTCPayServer.Client/Permissions.cs
index 9fc24ce61..dbc932d13 100644
--- a/BTCPayServer.Client/Permissions.cs
+++ b/BTCPayServer.Client/Permissions.cs
@@ -49,7 +49,11 @@ namespace BTCPayServer.Client
         {
             return policy.StartsWith("btcpay.store", StringComparison.OrdinalIgnoreCase);
         }
-        
+        public static bool IsStoreModifyPolicy(string policy)
+        {
+            return policy.StartsWith("btcpay.store.canmodify", StringComparison.OrdinalIgnoreCase);
+        }
+
         public static bool IsServerPolicy(string policy)
         {
             return policy.StartsWith("btcpay.server", StringComparison.OrdinalIgnoreCase);
diff --git a/BTCPayServer.Tests/GreenfieldAPITests.cs b/BTCPayServer.Tests/GreenfieldAPITests.cs
index 3cf672d56..b9eef7567 100644
--- a/BTCPayServer.Tests/GreenfieldAPITests.cs
+++ b/BTCPayServer.Tests/GreenfieldAPITests.cs
@@ -10,8 +10,10 @@ using BTCPayServer.Controllers;
 using BTCPayServer.Events;
 using BTCPayServer.JsonConverters;
 using BTCPayServer.Services;
+using BTCPayServer.Services.Stores;
 using BTCPayServer.Tests.Logging;
 using Microsoft.AspNetCore.Mvc;
+using Microsoft.EntityFrameworkCore;
 using NBitcoin;
 using NBitpayClient;
 using Newtonsoft.Json;
@@ -251,6 +253,14 @@ namespace BTCPayServer.Tests
                 var scopedClient =
                     await user.CreateClient(Permission.Create(Policies.CanViewStoreSettings, user.StoreId).ToString());
                 Assert.Single(await scopedClient.GetStores());
+
+
+                // We strip the user's Owner right, so the key should not work
+                using var ctx = tester.PayTester.GetService<Data.ApplicationDbContextFactory>().CreateContext();
+                var storeEntity = await ctx.UserStore.SingleAsync(u => u.ApplicationUserId == user.UserId && u.StoreDataId == newStore.Id);
+                storeEntity.Role = "Guest";
+                await ctx.SaveChangesAsync();
+                await AssertHttpError(403, async () => await client.UpdateStore(newStore.Id, new UpdateStoreRequest() { Name = "B" }));
             }
         }
 
diff --git a/BTCPayServer/Security/GreenField/GreenFieldAuthorizationHandler.cs b/BTCPayServer/Security/GreenField/GreenFieldAuthorizationHandler.cs
index 2b4ad7470..f5a872156 100644
--- a/BTCPayServer/Security/GreenField/GreenFieldAuthorizationHandler.cs
+++ b/BTCPayServer/Security/GreenField/GreenFieldAuthorizationHandler.cs
@@ -49,6 +49,11 @@ namespace BTCPayServer.Security.GreenField
                             var store = await _storeRepository.FindStore((string)storeId, userid);
                             if (store == null)
                                 break;
+                            if(Policies.IsStoreModifyPolicy(policy))
+                            {
+                                if (store.Role != StoreRoles.Owner)
+                                    break;
+                            }
                             success = true;
                             _HttpContext.SetStoreData(store);
                         }