mirrors/btcpayserver
1
0
Fork 0
mirror of https://github.com/btcpayserver/btcpayserver.git synced 2025-01-19 05:33:31 +01:00
Code Issues Packages Projects Releases Wiki Activity

Remove right to admins to bypass permissions to modify/view invoices or stores (#3297)

Browse Source
This commit is contained in:
Nicolas Dorier 2022-01-13 17:42:32 +09:00 committed by GitHub
parent 5ad6d77973
commit f67fa6a5d6
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 3 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
BTCPayServer/Security/CookieAuthorizationHandler.cs
View File

@ -127,20 +127,14 @@ namespace BTCPayServer.Security
if (isAdmin)
success = true;
break;
case Policies.CanViewInvoices:
if (store == null || store.Role == StoreRoles.Owner || isAdmin)
success = true;
break;
case Policies.CanModifyStoreSettings:
if (store != null && (store.Role == StoreRoles.Owner || isAdmin))
if (store != null && (store.Role == StoreRoles.Owner))
success = true;
break;
case Policies.CanViewInvoices:
case Policies.CanViewStoreSettings:
if (store != null || isAdmin)
success = true;
break;
case Policies.CanCreateInvoice:
if (store != null || isAdmin)
if (store != null)
success = true;
break;
case Policies.CanViewProfile: