From c189ec49e58b3bda9273c47841d732d89f64e6e8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?dni=20=E2=9A=A1?= Date: Wed, 7 Dec 2022 11:00:48 +0100 Subject: [PATCH] add superuser class to obscure superuser_id for admin in the ui --- lnbits/core/models.py | 1 + lnbits/extensions/admin/crud.py | 20 ++++++++++++++++---- lnbits/extensions/admin/models.py | 6 +++++- lnbits/extensions/admin/views_api.py | 7 ++++--- lnbits/settings.py | 6 +++--- 5 files changed, 29 insertions(+), 11 deletions(-) diff --git a/lnbits/core/models.py b/lnbits/core/models.py index d6a20a2a2..691995dea 100644 --- a/lnbits/core/models.py +++ b/lnbits/core/models.py @@ -63,6 +63,7 @@ class User(BaseModel): wallets: List[Wallet] = [] password: Optional[str] = None admin: bool = False + super_user: bool = False @property def wallet_ids(self) -> List[str]: diff --git a/lnbits/extensions/admin/crud.py b/lnbits/extensions/admin/crud.py index be23c66f1..88db5a0dc 100644 --- a/lnbits/extensions/admin/crud.py +++ b/lnbits/extensions/admin/crud.py @@ -6,7 +6,7 @@ from lnbits.settings import readonly_variables, settings from lnbits.tasks import internal_invoice_queue from . import db -from .models import AdminSettings, UpdateSettings +from .models import SuperSettings, AdminSettings, UpdateSettings async def update_wallet_balance(wallet_id: str, amount: int): @@ -25,13 +25,24 @@ async def update_wallet_balance(wallet_id: str, amount: int): return payment -async def get_admin_settings() -> Optional[AdminSettings]: +async def get_super_settings() -> Optional[SuperSettings]: row = await db.fetchone("SELECT * FROM admin.settings") if not row: return None - return AdminSettings( - lnbits_allowed_funding_sources=settings.lnbits_allowed_funding_sources, **row + return SuperSettings(**row) + + +async def get_admin_settings(is_super_user: bool = False) -> Optional[AdminSettings]: + sets = await get_super_settings() + if not sets: + return None + row_dict = dict(sets) + row_dict.pop("super_user") + admin_settings = AdminSettings( + super_user=is_super_user, lnbits_allowed_funding_sources=settings.lnbits_allowed_funding_sources, **row_dict ) + return admin_settings + async def delete_admin_settings(): @@ -46,6 +57,7 @@ async def update_admin_settings(data: UpdateSettings): def get_q_and_values(data): keys = [] values = [] + # exclude from api updates data.pop("lnbits_allowed_funding_sources") data.pop("super_user") for key, value in data.items(): diff --git a/lnbits/extensions/admin/models.py b/lnbits/extensions/admin/models.py index 52fb7921f..408f7c21a 100644 --- a/lnbits/extensions/admin/models.py +++ b/lnbits/extensions/admin/models.py @@ -79,6 +79,10 @@ class UpdateSettings(BaseModel, extra=Extra.forbid): boltz_url: str = Query(None) +class SuperSettings(UpdateSettings): + super_user: str + + class AdminSettings(UpdateSettings): + super_user: bool lnbits_allowed_funding_sources: Optional[List[str]] - super_user: Optional[bool] diff --git a/lnbits/extensions/admin/views_api.py b/lnbits/extensions/admin/views_api.py index b3b45c337..3160c5596 100644 --- a/lnbits/extensions/admin/views_api.py +++ b/lnbits/extensions/admin/views_api.py @@ -29,9 +29,10 @@ async def api_restart_server() -> dict[str, str]: @admin_ext.get("/api/v1/settings/") -async def api_get_settings(user: User = Depends(check_admin)) -> Optional[AdminSettings]: - admin_settings = await get_admin_settings() - admin_settings.super_user = user.super_user +async def api_get_settings( + user: User = Depends(check_admin) #type: ignore +) -> Optional[AdminSettings]: + admin_settings = await get_admin_settings(user.super_user) return admin_settings diff --git a/lnbits/settings.py b/lnbits/settings.py index 56a0e197f..1d05b882d 100644 --- a/lnbits/settings.py +++ b/lnbits/settings.py @@ -207,10 +207,10 @@ async def check_admin_settings(): # if not imported here, circular import error from lnbits.extensions.admin.crud import ( create_admin_settings, - get_admin_settings, + get_super_settings, ) - sets = await get_admin_settings() + sets = await get_super_settings() if not sets: # create new settings if table is empty logger.warning( @@ -218,7 +218,7 @@ async def check_admin_settings(): ) await create_admin_settings() logger.warning("initialized admin.settings from enviroment variables.") - sets = await get_admin_settings() + sets = await get_super_settings() if sets: for key, value in sets.dict().items():