From ed38411fc4c0b7844d8ee9059ed4e80120c2280e Mon Sep 17 00:00:00 2001
From: padreug <padreug@aiolabs.dev>
Date: Wed, 22 Oct 2025 18:19:52 +0200
Subject: [PATCH] Enforces super user role for admin endpoints

Ensures that only the super user can access and modify manual payment requests via the admin API endpoints. This enhances security by preventing unauthorized access to sensitive administrative functions.

Removes dependency on `check_super_user` helper function, instead directly comparing the wallet user with the configured super user in lnbits settings.
---
 views_api.py | 22 +++++++++++++++++++---
 1 file changed, 19 insertions(+), 3 deletions(-)

diff --git a/views_api.py b/views_api.py
index be9aeb6..fe16e3b 100644
--- a/views_api.py
+++ b/views_api.py
@@ -779,7 +779,13 @@ async def api_get_all_manual_payment_requests(
     wallet: WalletTypeInfo = Depends(require_admin_key),
 ) -> list[ManualPaymentRequest]:
     """Get all manual payment requests (Castle admin only)"""
-    await check_super_user(wallet.wallet.user)
+    from lnbits.settings import settings as lnbits_settings
+
+    if wallet.wallet.user != lnbits_settings.super_user:
+        raise HTTPException(
+            status_code=HTTPStatus.FORBIDDEN,
+            detail="Only super user can access this endpoint",
+        )
     return await get_all_manual_payment_requests(status)
 
 
@@ -791,7 +797,11 @@ async def api_approve_manual_payment_request(
     """Approve a manual payment request and create accounting entry (Castle admin only)"""
     from lnbits.settings import settings as lnbits_settings
 
-    await check_super_user(wallet.wallet.user)
+    if wallet.wallet.user != lnbits_settings.super_user:
+        raise HTTPException(
+            status_code=HTTPStatus.FORBIDDEN,
+            detail="Only super user can access this endpoint",
+        )
 
     # Get the request
     request = await get_manual_payment_request(request_id)
@@ -859,7 +869,13 @@ async def api_reject_manual_payment_request(
     wallet: WalletTypeInfo = Depends(require_admin_key),
 ) -> ManualPaymentRequest:
     """Reject a manual payment request (Castle admin only)"""
-    await check_super_user(wallet.wallet.user)
+    from lnbits.settings import settings as lnbits_settings
+
+    if wallet.wallet.user != lnbits_settings.super_user:
+        raise HTTPException(
+            status_code=HTTPStatus.FORBIDDEN,
+            detail="Only super user can access this endpoint",
+        )
 
     # Get the request
     request = await get_manual_payment_request(request_id)