enhance fine grain permissions

BTCPayServer.Abstractions/TagHelpers/PermissionTagHelper.cs

@@ -2,12 +2,13 @@
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Razor.TagHelpers;
-using Microsoft.Extensions.Logging;
+using System;
+using System.Linq;
 
 namespace BTCPayServer.Abstractions.TagHelpers;
 
 [HtmlTargetElement(Attributes = "[permission]")]
-[HtmlTargetElement(Attributes = "[not-permission]"  )]
+[HtmlTargetElement(Attributes = "[not-permission]")]
 public class PermissionTagHelper : TagHelper
 {
     private readonly IAuthorizationService _authorizationService;
@@ -22,29 +23,72 @@ public PermissionTagHelper(IAuthorizationService authorizationService, IHttpCont
     public string Permission { get; set; }
     public string NotPermission { get; set; }
     public string PermissionResource { get; set; }
-
+    public bool AndMode { get; set; } = false;
 
     public override async Task ProcessAsync(TagHelperContext context, TagHelperOutput output)
     {
-        if (string.IsNullOrEmpty(Permission) && string.IsNullOrEmpty(NotPermission))
+        var permissions = Permission?.Split(',', StringSplitOptions.RemoveEmptyEntries) ?? Array.Empty<string>();
+        var notPermissions = NotPermission?.Split(',', StringSplitOptions.RemoveEmptyEntries) ?? Array.Empty<string>();
+
+        if (!permissions.Any() && !notPermissions.Any())
             return;
         if (_httpContextAccessor.HttpContext is null)
             return;
 
-        var expectedResult = !string.IsNullOrEmpty(Permission);
-        var key = $"{Permission??NotPermission}_{PermissionResource}";
-        if (!_httpContextAccessor.HttpContext.Items.TryGetValue(key, out var o) ||
-            o is not AuthorizationResult res)
+        bool shouldRender = true; // Assume tag should be rendered unless a check fails
+
+        // Process 'Permission' - User must have these permissions
+        if (permissions.Any())
         {
-            res = await _authorizationService.AuthorizeAsync(_httpContextAccessor.HttpContext.User,
-                PermissionResource,
-                Permission);
-            _httpContextAccessor.HttpContext.Items.Add(key, res);
+            bool finalResult = AndMode;
+            foreach (var perm in permissions)
+            {
+                var key = $"{perm}_{PermissionResource}";
+                AuthorizationResult res = await GetOrAddAuthorizationResult(key, perm);
+
+                if (AndMode)
+                    finalResult &= res.Succeeded;
+                else
+                    finalResult |= res.Succeeded;
+
+                if (!AndMode && finalResult) break;
+            }
+
+            shouldRender = finalResult;
         }
-        if (expectedResult != res.Succeeded)
+
+        // Process 'NotPermission' - User must not have these permissions
+        if (shouldRender && notPermissions.Any())
+        {
+            foreach (var notPerm in notPermissions)
+            {
+                var key = $"{notPerm}_{PermissionResource}";
+                AuthorizationResult res = await GetOrAddAuthorizationResult(key, notPerm);
+
+                if (res.Succeeded) // If the user has a 'NotPermission', they should not see the tag
+                {
+                    shouldRender = false;
+                    break;
+                }
+            }
+        }
+
+        if (!shouldRender)
         {
             output.SuppressOutput();
         }
+    }
+
+    private async Task<AuthorizationResult> GetOrAddAuthorizationResult(string key, string permission)
+    {
+        if (!_httpContextAccessor.HttpContext.Items.TryGetValue(key, out var cachedResult))
+        {
+            var res = await _authorizationService.AuthorizeAsync(_httpContextAccessor.HttpContext.User,
+                PermissionResource, permission);
+            _httpContextAccessor.HttpContext.Items[key] = res;
+            return res;
+        }
 
+        return cachedResult as AuthorizationResult;
     }
 }

BTCPayServer.Client/Permissions.cs

@@ -19,6 +19,7 @@ public class Policies
         public const string CanModifyStoreWebhooks = "btcpay.store.webhooks.canmodifywebhooks";
         public const string CanModifyStoreSettingsUnscoped = "btcpay.store.canmodifystoresettings:";
         public const string CanViewStoreSettings = "btcpay.store.canviewstoresettings";
+        public const string CanViewReports = "btcpay.store.canviewreports";
         public const string CanViewInvoices = "btcpay.store.canviewinvoices";
         public const string CanCreateInvoice = "btcpay.store.cancreateinvoice";
         public const string CanModifyInvoices = "btcpay.store.canmodifyinvoices";
@@ -34,7 +35,10 @@ public class Policies
         public const string CanDeleteUser = "btcpay.user.candeleteuser";
         public const string CanManagePullPayments = "btcpay.store.canmanagepullpayments";
         public const string CanArchivePullPayments = "btcpay.store.canarchivepullpayments";
+        public const string CanManagePayouts = "btcpay.store.canmanagepayouts";
+        public const string CanViewPayouts = "btcpay.store.canviewpayouts";
         public const string CanCreatePullPayments = "btcpay.store.cancreatepullpayments";
+        public const string CanViewPullPayments = "btcpay.store.canviewpullpayments";
         public const string CanCreateNonApprovedPullPayments = "btcpay.store.cancreatenonapprovedpullpayments";
         public const string CanViewCustodianAccounts = "btcpay.store.canviewcustodianaccounts";
         public const string CanManageCustodianAccounts = "btcpay.store.canmanagecustodianaccounts";
@@ -53,6 +57,7 @@ public static IEnumerable<string> AllPolicies
                 yield return CanModifyServerSettings;
                 yield return CanModifyStoreSettings;
                 yield return CanViewStoreSettings;
+                yield return CanViewReports;
                 yield return CanViewPaymentRequests;
                 yield return CanModifyPaymentRequests;
                 yield return CanModifyProfile;
@@ -72,13 +77,16 @@ public static IEnumerable<string> AllPolicies
                 yield return CanManagePullPayments;
                 yield return CanArchivePullPayments;
                 yield return CanCreatePullPayments;
+                yield return CanViewPullPayments;
                 yield return CanCreateNonApprovedPullPayments;
                 yield return CanViewCustodianAccounts;
                 yield return CanManageCustodianAccounts;
                 yield return CanDepositToCustodianAccounts;
                 yield return CanWithdrawFromCustodianAccounts;
                 yield return CanTradeCustodianAccount;
                 yield return CanManageUsers;
+                yield return CanManagePayouts;
+                yield return CanViewPayouts;
             }
         }
         public static bool IsValidPolicy(string policy)
@@ -252,11 +260,13 @@ private static bool ContainsPolicy(string policy, string subpolicy)
                 Policies.CanViewStoreSettings,
                 Policies.CanModifyStoreWebhooks,
                 Policies.CanModifyPaymentRequests,
+                Policies.CanManagePayouts,
                 Policies.CanUseLightningNodeInStore);
 
             PolicyHasChild(policyMap,Policies.CanManageUsers, Policies.CanCreateUser);
             PolicyHasChild(policyMap,Policies.CanManagePullPayments, Policies.CanCreatePullPayments, Policies.CanArchivePullPayments);
             PolicyHasChild(policyMap,Policies.CanCreatePullPayments, Policies.CanCreateNonApprovedPullPayments);
+            PolicyHasChild(policyMap, Policies.CanCreateNonApprovedPullPayments, Policies.CanViewPullPayments);
             PolicyHasChild(policyMap,Policies.CanModifyPaymentRequests, Policies.CanViewPaymentRequests);
             PolicyHasChild(policyMap,Policies.CanModifyProfile, Policies.CanViewProfile);
             PolicyHasChild(policyMap,Policies.CanUseLightningNodeInStore, Policies.CanViewLightningInvoiceInStore, Policies.CanCreateLightningInvoiceInStore);
@@ -267,7 +277,8 @@ private static bool ContainsPolicy(string policy, string subpolicy)
             PolicyHasChild(policyMap, Policies.CanUseInternalLightningNode, Policies.CanCreateLightningInvoiceInternalNode, Policies.CanViewLightningInvoiceInternalNode);
             PolicyHasChild(policyMap, Policies.CanManageCustodianAccounts, Policies.CanViewCustodianAccounts);
             PolicyHasChild(policyMap, Policies.CanModifyInvoices, Policies.CanViewInvoices, Policies.CanCreateInvoice, Policies.CanCreateLightningInvoiceInStore);
-            PolicyHasChild(policyMap, Policies.CanViewStoreSettings, Policies.CanViewInvoices, Policies.CanViewPaymentRequests);
+            PolicyHasChild(policyMap, Policies.CanViewStoreSettings, Policies.CanViewInvoices, Policies.CanViewPaymentRequests, Policies.CanViewReports, Policies.CanViewPullPayments, Policies.CanViewPayouts);
+            PolicyHasChild(policyMap, Policies.CanManagePayouts, Policies.CanViewPayouts);
 
             var missingPolicies = Policies.AllPolicies.ToHashSet();
             //recurse through the tree to see which policies are not included in the tree

BTCPayServer/Components/MainNav/Default.cshtml

@@ -133,25 +133,25 @@
                                             <span>Invoices</span>
                                         </a>
                                     </li>
-									<li class="nav-item" permission="@Policies.CanViewInvoices">
+									<li class="nav-item" permission="@Policies.CanViewReports">
 										<a asp-area="" asp-controller="UIReports" asp-action="StoreReports" asp-route-storeId="@Model.Store.Id" class="nav-link @ViewData.IsActivePage(StoreNavPages.Reporting)" id="SectionNav-Reporting">
 											<vc:icon symbol="invoice" />
 											<span>Reporting</span>
 										</a>
 									</li>
-                                    <li class="nav-item" permission="@Policies.CanModifyStoreSettings">
+                                    <li class="nav-item" permission="@Policies.CanViewPaymentRequests">
                                         <a asp-area="" asp-controller="UIPaymentRequest" asp-action="GetPaymentRequests" asp-route-storeId="@Model.Store.Id" class="nav-link @ViewData.IsActiveCategory(typeof(PaymentRequestsNavPages))" id="StoreNav-PaymentRequests">
                                             <vc:icon symbol="payment-requests"/>
                                             <span>Requests</span>
                                         </a>
                                     </li>
-                                    <li class="nav-item" permission="@Policies.CanViewStoreSettings">
+                                    <li class="nav-item" permission="@Policies.CanViewPullPayments">
                                         <a asp-area="" asp-controller="UIStorePullPayments" asp-action="PullPayments" asp-route-storeId="@Model.Store.Id" class="nav-link @ViewData.IsActivePage(StoreNavPages.PullPayments)" id="StoreNav-PullPayments">
                                             <vc:icon symbol="pull-payments"/>
                                             <span>Pull Payments</span>
                                         </a>
                                     </li>
-                                    <li class="nav-item" permission="@Policies.CanModifyStoreSettings">
+                                    <li class="nav-item" permission="@Policies.CanViewPayouts">
                                         <a asp-area="" 
                                            asp-controller="UIStorePullPayments" asp-action="Payouts" 
                                            asp-route-pullPaymentId=""

BTCPayServer/Components/StoreSelector/Default.cshtml

@@ -31,8 +31,7 @@
 }
 else
 {
-    <a asp-controller="UIStores" asp-action="Dashboard" permission="@Policies.CanModifyStoreSettings" asp-route-storeId="@Model.CurrentStoreId" id="StoreSelectorHome" class="navbar-brand py-2">@{await LogoContent();}</a>
-    <a asp-controller="UIInvoice" asp-action="ListInvoices" not-permission="@Policies.CanModifyStoreSettings" asp-route-storeId="@Model.CurrentStoreId" id="StoreSelectorHome" class="navbar-brand py-2">@{await LogoContent();}</a>
+    <a asp-controller="UIStores" asp-action="Index" asp-route-storeId="@Model.CurrentStoreId" id="StoreSelectorHome" class="navbar-brand py-2">@{await LogoContent();}</a>
 }
 @if (Model.Options.Any() || Model.ArchivedCount > 0)
 {
@@ -54,21 +53,14 @@ else
                 @foreach (var option in Model.Options)
                 {
                     <li>
-                        @if (option.IsOwner)
-                        {
-                            <a asp-controller="UIStores" asp-action="Dashboard" asp-route-storeId="@option.Value" class="dropdown-item@(option.Selected ? " active" : "")" id="StoreSelectorMenuItem-@option.Value">@StoreName(option.Text)</a>
-                        }
-                        else
-                        {
-                            <a asp-controller="UIInvoice" asp-action="ListInvoices" asp-route-storeId="@option.Value" class="dropdown-item@(option.Selected ? " active" : "")" id="StoreSelectorMenuItem-@option.Value">@StoreName(option.Text)</a>
-                        }
+                        <a asp-controller="UIStores" asp-action="Index" asp-route-storeId="@option.Value" class="dropdown-item@(option.Selected ? " active" : "")" id="StoreSelectorMenuItem-@option.Value">@StoreName(option.Text)</a>
                     </li>
                 }
                 @if (Model.Options.Any())
                 {
                     <li><hr class="dropdown-divider"></li>
                 }
-                <li><a asp-controller="UIUserStores" asp-action="CreateStore" class="dropdown-item @ViewData.IsActivePage(StoreNavPages.Create)" id="StoreSelectorCreate">Create Store</a></li>
+                <li ><a asp-controller="UIUserStores" asp-action="CreateStore" class="dropdown-item @ViewData.IsActivePage(StoreNavPages.Create)" id="StoreSelectorCreate">Create Store</a></li>
                 @if (Model.ArchivedCount > 0)
                 {
                     <li><hr class="dropdown-divider"></li>

BTCPayServer/Components/StoreSelector/StoreSelector.cs

@@ -48,7 +48,7 @@ public async Task<IViewComponentResult> InvokeAsync()
                         Value = store.Id,
                         Selected = store.Id == currentStore?.Id,
                         WalletId = walletId,
-                        IsOwner = role != null && role.Permissions.Contains(Policies.CanModifyStoreSettings)
+                        Store = store,
                     };
                 })
                 .OrderBy(s => s.Text)

BTCPayServer/Components/StoreSelector/StoreSelectorViewModel.cs

@@ -1,4 +1,5 @@
 using System.Collections.Generic;
+using BTCPayServer.Data;
 
 namespace BTCPayServer.Components.StoreSelector
 {
@@ -14,9 +15,9 @@ public class StoreSelectorViewModel
     public class StoreSelectorOption
     {
         public bool Selected { get; set; }
-        public bool IsOwner { get; set; }
         public string Text { get; set; }
         public string Value { get; set; }
         public WalletId WalletId { get; set; }
+        public StoreData Store { get; set; }
     }
 }

BTCPayServer/Controllers/GreenField/GreenfieldPullPaymentController.cs

@@ -58,7 +58,7 @@ public class GreenfieldPullPaymentController : ControllerBase
         }
 
         [HttpGet("~/api/v1/stores/{storeId}/pull-payments")]
-        [Authorize(Policy = Policies.CanManagePullPayments, AuthenticationSchemes = AuthenticationSchemes.Greenfield)]
+        [Authorize(Policy = Policies.CanViewPullPayments, AuthenticationSchemes = AuthenticationSchemes.Greenfield)]
         public async Task<IActionResult> GetPullPayments(string storeId, bool includeArchived = false)
         {
             using var ctx = _dbContextFactory.CreateContext();
@@ -456,7 +456,7 @@ public async Task<IActionResult> ArchivePullPayment(string storeId, string pullP
 
 
         [HttpGet("~/api/v1/stores/{storeId}/payouts")]
-        [Authorize(Policy = Policies.CanManagePullPayments, AuthenticationSchemes = AuthenticationSchemes.Greenfield)]
+        [Authorize(Policy = Policies.CanViewPayouts, AuthenticationSchemes = AuthenticationSchemes.Greenfield)]
         public async Task<IActionResult> GetStorePayouts(string storeId, bool includeCancelled = false)
         {
             var payouts = await _pullPaymentService.GetPayouts(new PullPaymentHostedService.PayoutQuery()
@@ -471,15 +471,15 @@ public async Task<IActionResult> GetStorePayouts(string storeId, bool includeCan
         }
 
         [HttpDelete("~/api/v1/stores/{storeId}/payouts/{payoutId}")]
-        [Authorize(Policy = Policies.CanManagePullPayments, AuthenticationSchemes = AuthenticationSchemes.Greenfield)]
+        [Authorize(Policy = Policies.CanManagePayouts, AuthenticationSchemes = AuthenticationSchemes.Greenfield)]
         public async Task<IActionResult> CancelPayout(string storeId, string payoutId)
         {
             var res = await _pullPaymentService.Cancel(new PullPaymentHostedService.CancelRequest(new[] { payoutId }, new[] { storeId }));
             return MapResult(res.First().Value);
         }
 
         [HttpPost("~/api/v1/stores/{storeId}/payouts/{payoutId}")]
-        [Authorize(Policy = Policies.CanManagePullPayments, AuthenticationSchemes = AuthenticationSchemes.Greenfield)]
+        [Authorize(Policy = Policies.CanManagePayouts, AuthenticationSchemes = AuthenticationSchemes.Greenfield)]
         public async Task<IActionResult> ApprovePayout(string storeId, string payoutId, ApprovePayoutRequest approvePayoutRequest, CancellationToken cancellationToken = default)
         {
             using var ctx = _dbContextFactory.CreateContext();
@@ -533,7 +533,7 @@ public async Task<IActionResult> ApprovePayout(string storeId, string payoutId,
         }
 
         [HttpPost("~/api/v1/stores/{storeId}/payouts/{payoutId}/mark-paid")]
-        [Authorize(Policy = Policies.CanManagePullPayments, AuthenticationSchemes = AuthenticationSchemes.Greenfield)]
+        [Authorize(Policy = Policies.CanManagePayouts, AuthenticationSchemes = AuthenticationSchemes.Greenfield)]
         public async Task<IActionResult> MarkPayoutPaid(string storeId, string payoutId, CancellationToken cancellationToken = default)
         {
             return await MarkPayout(storeId, payoutId, new Client.Models.MarkPayoutRequest()
@@ -544,7 +544,7 @@ public async Task<IActionResult> MarkPayoutPaid(string storeId, string payoutId,
         }
 
         [HttpPost("~/api/v1/stores/{storeId}/payouts/{payoutId}/mark")]
-        [Authorize(Policy = Policies.CanManagePullPayments, AuthenticationSchemes = AuthenticationSchemes.Greenfield)]
+        [Authorize(Policy = Policies.CanManagePayouts, AuthenticationSchemes = AuthenticationSchemes.Greenfield)]
         public async Task<IActionResult> MarkPayout(string storeId, string payoutId, Client.Models.MarkPayoutRequest request)
         {
             request ??= new();
@@ -571,7 +571,7 @@ public async Task<IActionResult> MarkPayout(string storeId, string payoutId, Cli
         }
 
         [HttpGet("~/api/v1/stores/{storeId}/payouts/{payoutId}")]
-        [Authorize(Policy = Policies.CanManagePullPayments, AuthenticationSchemes = AuthenticationSchemes.Greenfield)]
+        [Authorize(Policy = Policies.CanViewPayouts, AuthenticationSchemes = AuthenticationSchemes.Greenfield)]
         public async Task<IActionResult> GetStorePayout(string storeId, string payoutId)
         {
             await using var ctx = _dbContextFactory.CreateContext();

BTCPayServer/Controllers/GreenField/GreenfieldReportsController.cs

@@ -32,7 +32,7 @@ public class GreenfieldReportsController : Controller
     public ApplicationDbContextFactory DBContextFactory { get; }
     public ReportService ReportService { get; }
 
-    [Authorize(Policy = Policies.CanViewStoreSettings, AuthenticationSchemes = AuthenticationSchemes.Greenfield)]
+    [Authorize(Policy = Policies.CanViewReports, AuthenticationSchemes = AuthenticationSchemes.Greenfield)]
     [HttpPost("~/api/v1/stores/{storeId}/reports")]
     [NonAction] // Disabling this endpoint as we still need to figure out the request/response model
     public async Task<IActionResult> StoreReports(string storeId, [FromBody] StoreReportRequest? vm = null, CancellationToken cancellationToken = default)