Enforces super user role for admin endpoints
Ensures that only the super user can access and modify manual payment requests via the admin API endpoints. This enhances security by preventing unauthorized access to sensitive administrative functions. Removes dependency on `check_super_user` helper function, instead directly comparing the wallet user with the configured super user in lnbits settings.
This commit is contained in:
parent
246c0a5237
commit
ed38411fc4
1 changed files with 19 additions and 3 deletions
22
views_api.py
22
views_api.py
|
|
@ -779,7 +779,13 @@ async def api_get_all_manual_payment_requests(
|
|||
wallet: WalletTypeInfo = Depends(require_admin_key),
|
||||
) -> list[ManualPaymentRequest]:
|
||||
"""Get all manual payment requests (Castle admin only)"""
|
||||
await check_super_user(wallet.wallet.user)
|
||||
from lnbits.settings import settings as lnbits_settings
|
||||
|
||||
if wallet.wallet.user != lnbits_settings.super_user:
|
||||
raise HTTPException(
|
||||
status_code=HTTPStatus.FORBIDDEN,
|
||||
detail="Only super user can access this endpoint",
|
||||
)
|
||||
return await get_all_manual_payment_requests(status)
|
||||
|
||||
|
||||
|
|
@ -791,7 +797,11 @@ async def api_approve_manual_payment_request(
|
|||
"""Approve a manual payment request and create accounting entry (Castle admin only)"""
|
||||
from lnbits.settings import settings as lnbits_settings
|
||||
|
||||
await check_super_user(wallet.wallet.user)
|
||||
if wallet.wallet.user != lnbits_settings.super_user:
|
||||
raise HTTPException(
|
||||
status_code=HTTPStatus.FORBIDDEN,
|
||||
detail="Only super user can access this endpoint",
|
||||
)
|
||||
|
||||
# Get the request
|
||||
request = await get_manual_payment_request(request_id)
|
||||
|
|
@ -859,7 +869,13 @@ async def api_reject_manual_payment_request(
|
|||
wallet: WalletTypeInfo = Depends(require_admin_key),
|
||||
) -> ManualPaymentRequest:
|
||||
"""Reject a manual payment request (Castle admin only)"""
|
||||
await check_super_user(wallet.wallet.user)
|
||||
from lnbits.settings import settings as lnbits_settings
|
||||
|
||||
if wallet.wallet.user != lnbits_settings.super_user:
|
||||
raise HTTPException(
|
||||
status_code=HTTPStatus.FORBIDDEN,
|
||||
detail="Only super user can access this endpoint",
|
||||
)
|
||||
|
||||
# Get the request
|
||||
request = await get_manual_payment_request(request_id)
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue