Compare commits
7 Commits
Author | SHA1 | Date | |
93f8222f06 | |||
2c22b4adba | |||
ca4ac2e654 | |||
64a77c70ad | |||
79fa51a880 | |||
2ee98d54c4 | |||
c78a16ce28 |
@ -33,6 +33,7 @@ namespace BTCPayServer.Client
public const string CanManageUsers = "btcpay.server.canmanageusers";
public const string CanDeleteUser = "btcpay.user.candeleteuser";
public const string CanManagePullPayments = "";
public const string CanArchivePullPayments = "";
public const string CanCreatePullPayments = "";
public const string CanCreateNonApprovedPullPayments = "";
public const string CanViewCustodianAccounts = "";
@ -69,6 +70,7 @@ namespace BTCPayServer.Client
yield return CanViewLightningInvoiceInStore;
yield return CanCreateLightningInvoiceInStore;
yield return CanManagePullPayments;
yield return CanArchivePullPayments;
yield return CanCreatePullPayments;
yield return CanCreateNonApprovedPullPayments;
yield return CanViewCustodianAccounts;
@ -253,7 +255,7 @@ namespace BTCPayServer.Client
PolicyHasChild(policyMap,Policies.CanManageUsers, Policies.CanCreateUser);
PolicyHasChild(policyMap,Policies.CanManagePullPayments, Policies.CanCreatePullPayments);
PolicyHasChild(policyMap,Policies.CanManagePullPayments, Policies.CanCreatePullPayments, Policies.CanArchivePullPayments);
PolicyHasChild(policyMap,Policies.CanCreatePullPayments, Policies.CanCreateNonApprovedPullPayments);
PolicyHasChild(policyMap,Policies.CanModifyPaymentRequests, Policies.CanViewPaymentRequests);
PolicyHasChild(policyMap,Policies.CanModifyProfile, Policies.CanViewProfile);
@ -885,7 +885,7 @@ namespace BTCPayServer.Tests
TestLogs.LogInformation("Can't archive without knowing the walletId");
var ex = await AssertAPIError("missing-permission", async () => await client.ArchivePullPayment("lol", result.Id));
Assert.Equal("", ((GreenfieldPermissionAPIError)ex.APIError).MissingPermission);
Assert.Equal("", ((GreenfieldPermissionAPIError)ex.APIError).MissingPermission);
TestLogs.LogInformation("Can't archive without permission");
await AssertAPIError("unauthenticated", async () => await unauthenticated.ArchivePullPayment(storeId, result.Id));
await client.ArchivePullPayment(storeId, result.Id);
@ -38,6 +38,7 @@ using OpenQA.Selenium.Support.Extensions;
using OpenQA.Selenium.Support.UI;
using Xunit;
using Xunit.Abstractions;
using Xunit.Sdk;
namespace BTCPayServer.Tests
@ -926,7 +927,8 @@ namespace BTCPayServer.Tests
AssertPermissions(pageSource, false,
@ -1820,6 +1822,7 @@ namespace BTCPayServer.Tests
TestUtils.Eventually(() =>
Assert.Contains("transaction-label", s.Driver.PageSource);
var labels = s.Driver.FindElements(By.CssSelector("#WalletTransactionsList tr:first-child div.transaction-label"));
Assert.Equal(2, labels.Count);
@ -1989,10 +1992,7 @@ namespace BTCPayServer.Tests
Assert.Contains(bolt, s.Driver.PageSource);
//auto-approve pull payments
@ -2022,6 +2022,8 @@ namespace BTCPayServer.Tests
var lnurl = new Uri(LNURL.LNURL.Parse(s.Driver.FindElement(By.Id("qr-code-data-input")).GetAttribute("value"), out _).ToString().Replace("https", "http"));
var info = Assert.IsType<LNURLWithdrawRequest>(await LNURL.LNURL.FetchInformation(lnurl, s.Server.PayTester.HttpClient));
@ -442,7 +442,7 @@ namespace BTCPayServer.Controllers.Greenfield
[Authorize(Policy = Policies.CanManagePullPayments, AuthenticationSchemes = AuthenticationSchemes.Greenfield)]
[Authorize(Policy = Policies.CanArchivePullPayments, AuthenticationSchemes = AuthenticationSchemes.Greenfield)]
public async Task<IActionResult> ArchivePullPayment(string storeId, string pullPaymentId)
using var ctx = _dbContextFactory.CreateContext();
@ -544,6 +544,8 @@ namespace BTCPayServer.Controllers
{$"{Policies.CanViewPaymentRequests}:", ("View your payment requests", "Allows viewing the selected stores' payment requests.")},
{Policies.CanManagePullPayments, ("Manage your pull payments", "Allows viewing, modifying, deleting and creating pull payments on all your stores.")},
{$"{Policies.CanManagePullPayments}:", ("Manage selected stores' pull payments", "Allows viewing, modifying, deleting and creating pull payments on the selected stores.")},
{Policies.CanArchivePullPayments, ("Archive your pull payments", "Allows deleting pull payments on all your stores.")},
{$"{Policies.CanArchivePullPayments}:", ("Archive selected stores' pull payments", "Allows deleting pull payments on the selected stores.")},
{Policies.CanCreatePullPayments, ("Create pull payments", "Allows creating pull payments on all your stores.")},
{$"{Policies.CanCreatePullPayments}:", ("Create pull payments in selected stores", "Allows creating pull payments on the selected stores.")},
{Policies.CanCreateNonApprovedPullPayments, ("Create non-approved pull payments", "Allows creating pull payments without automatic approval on all your stores.")},
@ -256,7 +256,7 @@ namespace BTCPayServer.Controllers
[Authorize(Policy = Policies.CanModifyStoreSettings, AuthenticationSchemes = AuthenticationSchemes.Cookie)]
[Authorize(Policy = Policies.CanArchivePullPayments, AuthenticationSchemes = AuthenticationSchemes.Cookie)]
public IActionResult ArchivePullPayment(string storeId,
string pullPaymentId)
@ -265,11 +265,11 @@ namespace BTCPayServer.Controllers
[Authorize(Policy = Policies.CanModifyStoreSettings, AuthenticationSchemes = AuthenticationSchemes.Cookie)]
[Authorize(Policy = Policies.CanArchivePullPayments, AuthenticationSchemes = AuthenticationSchemes.Cookie)]
public async Task<IActionResult> ArchivePullPaymentPost(string storeId,
string pullPaymentId)
await _pullPaymentService.Cancel(new HostedServices.PullPaymentHostedService.CancelRequest(pullPaymentId));
await _pullPaymentService.Cancel(new PullPaymentHostedService.CancelRequest(pullPaymentId));
TempData.SetStatusMessageModel(new StatusMessageModel()
Message = "Pull payment archived",
@ -25,7 +25,7 @@
<vc:icon symbol="copy" />
<p v-if="note" v-html="note" class="text-muted mt-3"></p>
<div v-if="note" v-html="note" class="text-muted mt-3" id="scan-qr-modal-note"></div>
<div class="mb-4 text-center" v-if="continueCallback">
<button type="button" class="btn btn-secondary" data-bs-dismiss="modal" v-on:click="continueCallback()">{{ continueTitle || 'Continue' }}</button>
@ -34,6 +34,9 @@
#scan-qr-modal-note :last-child { margin-bottom: 0; }
function initQRShow(data) {
return new Vue({
@ -106,7 +109,10 @@ function initQRShow(data) {
showData(data) {
this.modes = { default: { title: 'Default', fragments: [data] } };
this.mode = "default";
@ -46,8 +46,8 @@
<div class="input-group">
@if (Model.LnurlEndpoint is not null)
<button type="button" class="input-group-prepend btn btn-outline-secondary" id="lnurlwithdraw-button" data-bs-toggle="modal" data-bs-target="#scan-qr-modal">
<span class="fa fa-qrcode fa-2x" title="LNURL-Withdraw"></span>
<button type="button" class="btn btn-secondary" id="lnurlwithdraw-button">
<span class="fa fa-qrcode fa-2x" title="LNURL-Withdraw"></span>
<input class="form-control form-control-lg font-monospace" asp-for="Destination" placeholder="Enter destination to claim funds" required style="font-size:.9rem;height:42px;">
@ -77,7 +77,6 @@
<main class="flex-grow-1 py-4">
<div class="container">
<partial name="_StatusMessage" model="@(new ViewDataDictionary(ViewData){ { "Margin", "mb-4" } })" />
@ -105,6 +104,10 @@
<button type="button" class="btn btn-link fw-semibold d-none d-lg-inline-block d-print-none border-0 p-0 ms-4 only-for-js" id="copyLink">
Copy Link
<button type="button" class="btn btn-link fw-semibold d-inline-block d-print-none border-0 p-0 ms-4 only-for-js" page-qr>
<span class="fa fa-qrcode"></span> Show QR
@if (!string.IsNullOrEmpty(Model.ResetIn))
@ -205,33 +208,49 @@
<partial name="LayoutFoot" />
@if (Model.LnurlEndpoint is not null)
var lnurlUri = LNURL.LNURL.EncodeUri(Model.LnurlEndpoint, "withdrawRequest", false).ToString();
var lnurlBech32 = LNURL.LNURL.EncodeUri(Model.LnurlEndpoint, "withdrawRequest", true).ToString();
var note = "You can scan or open this link with a <a href='' target='_blank' rel='noreferrer noopener'>LNURL-Withdraw</a> enabled wallet.";
if (!Model.AutoApprove)
note += "<br/><span class='fw-bold'>Please note that this pull payment does not automatically send out funds, and so will process payment after LNURL-withdraw flow is completed.</span>";
<script src="~/vendor/vue-qrcode/vue-qrcode.min.js" asp-append-version="true"></script>
<script src="~/vendor/vuejs/vue.min.js" asp-append-version="true"></script>
<partial name="ShowQR"/>
<script src="~/vendor/vue-qrcode/vue-qrcode.min.js" asp-append-version="true"></script>
<script src="~/vendor/vuejs/vue.min.js" asp-append-version="true"></script>
<partial name="ShowQR" />
document.addEventListener("DOMContentLoaded", () => {
const modes = {
uri: { title: "URI", fragments: [@Safe.Json(lnurlUri)], showData: true, href: @Safe.Json(lnurlUri) },
bech32: { title: "Bech32", fragments: [@Safe.Json(lnurlBech32)], showData: true, href: @Safe.Json(lnurlBech32) }
initQRShow({ title: "LNURL Withdraw", note: @Safe.Json(note), modes })
window.qrApp = initQRShow({});
delegate('click', 'button[page-qr]', event => {
qrApp.title = "Pull Payment QR";
qrApp.note = "Scan this QR code to open this page on your mobile device.";
@if (Model.LnurlEndpoint is not null)
var lnurlUri = LNURL.LNURL.EncodeUri(Model.LnurlEndpoint, "withdrawRequest", false).ToString();
var lnurlBech32 = LNURL.LNURL.EncodeUri(Model.LnurlEndpoint, "withdrawRequest", true).ToString();
var note = "<p>You can scan or open this link with a <a href='' target='_blank' rel='noreferrer noopener'>LNURL-Withdraw</a> enabled wallet.</p>";
if (!Model.AutoApprove)
note += "<p class='fw-bold'>Please note that this pull payment does not automatically send out funds, and so will process payment after LNURL-withdraw flow is completed.</p>";
document.addEventListener("DOMContentLoaded", () => {
const modes = {
uri: { title: "URI", fragments: [@Safe.Json(lnurlUri)], showData: true, href: @Safe.Json(lnurlUri) },
bech32: { title: "Bech32", fragments: [@Safe.Json(lnurlBech32)], showData: true, href: @Safe.Json(lnurlBech32) }
delegate('click', '#lnurlwithdraw-button', () => {
qrApp.title = "LNURL Withdraw";
qrApp.modes = modes;
qrApp.mode = "bech32";
qrApp.note = @Safe.Json(note);
document.addEventListener("DOMContentLoaded", () => {
document.getElementById("copyLink").addEventListener("click", window.copyUrlToClipboard);
<vc:ui-extension-point location="pullpayment-foot" model="@Model"></vc:ui-extension-point>
<vc:ui-extension-point location="pullpayment-foot" model="@Model"></vc:ui-extension-point>
@ -71,7 +71,7 @@
<a id="@state-view"
class="nav-link @(state == Model.ActiveState ? "active" : "")" role="tab">@state</a>
@ -100,8 +100,9 @@
<table class="table table-hover table-responsive-lg">
<thead class="thead-inverse">
<div class="table-responsive">
<table class="table table-hover">
<thead class="thead-inverse">
<th scope="col">
<a asp-action="PullPayments"
@ -118,63 +119,63 @@
<th scope="col">Refunded</th>
<th scope="col" class="text-end">Actions</th>
@foreach (var pp in Model.PullPayments)
<a asp-action="EditPullPayment"
<td class="align-middle">
<div class="progress ppProgress" data-pp="@pp.Id" data-bs-toggle="tooltip" data-bs-html="true">
<div class="progress-bar" role="progressbar" aria-valuenow="@pp.Progress.CompletedPercent"
aria-valuemin="0" aria-valuemax="100" style="white-space: nowrap; overflow: hidden; text-overflow: ellipsis; width:@(pp.Progress.CompletedPercent)%;">
<div class="progress-bar" role="progressbar" aria-valuenow="@pp.Progress.AwaitingPercent"
aria-valuemin="0" aria-valuemax="100" style="background-color:orange; white-space: nowrap; overflow: hidden; text-overflow: ellipsis; width:@(pp.Progress.AwaitingPercent)%;">
<td class="text-end">
<a class="pp-payout"
@if (!pp.Archived)
<span permission="@Policies.CanModifyStoreSettings"> - </span>
<a asp-action="ArchivePullPayment"
data-description="Do you really want to archive the pull payment <strong>@Html.Encode(pp.Name)</strong>?">
@foreach (var pp in Model.PullPayments)
<a asp-action="EditPullPayment"
<span> - </span>
<a asp-action="ViewPullPayment"
<td class="align-middle">
<div class="progress ppProgress" data-pp="@pp.Id" data-bs-toggle="tooltip" data-bs-html="true">
<div class="progress-bar" role="progressbar" aria-valuenow="@pp.Progress.CompletedPercent"
aria-valuemin="0" aria-valuemax="100" style="white-space: nowrap; overflow: hidden; text-overflow: ellipsis; width:@(pp.Progress.CompletedPercent)%;">
<div class="progress-bar" role="progressbar" aria-valuenow="@pp.Progress.AwaitingPercent"
aria-valuemin="0" aria-valuemax="100" style="background-color:orange; white-space: nowrap; overflow: hidden; text-overflow: ellipsis; width:@(pp.Progress.AwaitingPercent)%;">
<td class="text-end">
<a class="pp-payout"
@if (!pp.Archived)
<span permission="@Policies.CanArchivePullPayments"> - </span>
<a asp-action="ArchivePullPayment"
data-description="Do you really want to archive the pull payment <strong>@Html.Encode(pp.Name)</strong>?">
<span> - </span>
<a asp-action="ViewPullPayment"
<vc:pager view-model="Model" />
<partial name="_Confirm" model="@(new ConfirmModel("Archive pull payment", "Do you really want to archive the pull payment?", "Archive"))" />
@ -120,7 +120,7 @@
"securitySchemes": {
"API_Key": {
"type": "apiKey",
"description": "BTCPay Server supports authenticating and authorizing users through an API Key that is generated by them. Send the API Key as a header value to Authorization with the format: `token {token}`. For a smoother experience, you can generate a url that redirects users to an API key creation screen.\n\n The following permissions are available to the context of the user creating the API Key:\n\n* `unrestricted`: Unrestricted access\n* `btcpay.user.candeleteuser`: Delete user\n* `btcpay.user.canviewprofile`: View your profile\n* `btcpay.user.canmodifyprofile`: Manage your profile\n* `btcpay.user.canmanagenotificationsforuser`: Manage your notifications\n* `btcpay.user.canviewnotificationsforuser`: View your notifications\n\nThe following permissions are available if the user is an administrator:\n\n* `btcpay.server.canviewusers`: View users\n* `btcpay.server.cancreateuser`: Create new users\n* `btcpay.server.canmanageusers`: Manage users\n* `btcpay.server.canmodifyserversettings`: Manage your server\n* `btcpay.server.canuseinternallightningnode`: Use the internal lightning node\n* `btcpay.server.canviewlightninginvoiceinternalnode`: View invoices from internal lightning node\n* `btcpay.server.cancreatelightninginvoiceinternalnode`: Create invoices with internal lightning node\n\nThe following permissions applies to all stores of the user, you can limit to a specific store with the following format: ``:\n\n* ``: Modify your stores\n* ``: View exchange accounts linked to your stores\n* ``: Manage exchange accounts linked to your stores\n* ``: Deposit funds to exchange accounts linked to your stores\n* ``: Withdraw funds from exchange accounts to your store\n* ``: Trade funds on your store's exchange accounts\n* ``: Modify stores webhooks\n* ``: View your stores\n* ``: Create an invoice\n* ``: View invoices\n* ``: Modify invoices\n* ``: Modify your payment requests\n* ``: View your payment requests\n* ``: Manage your pull payments\n* ``: Create pull payments\n* ``: Create non-approved pull payments\n* ``: Use the lightning nodes associated with your stores\n* ``: View the lightning invoices associated with your stores\n* ``: Create invoices from the lightning nodes associated with your stores\n\nNote that API Keys only limits permission of a user and can never expand it. If an API Key has the permission `btcpay.server.canmodifyserversettings` but that the user account creating this API Key is not administrator, the API Key will not be able to modify the server settings.\nSome permissions may include other permissions, see [this operation](#operation/permissionsMetadata).\n",
"description": "BTCPay Server supports authenticating and authorizing users through an API Key that is generated by them. Send the API Key as a header value to Authorization with the format: `token {token}`. For a smoother experience, you can generate a url that redirects users to an API key creation screen.\n\n The following permissions are available to the context of the user creating the API Key:\n\n* `unrestricted`: Unrestricted access\n* `btcpay.user.candeleteuser`: Delete user\n* `btcpay.user.canviewprofile`: View your profile\n* `btcpay.user.canmodifyprofile`: Manage your profile\n* `btcpay.user.canmanagenotificationsforuser`: Manage your notifications\n* `btcpay.user.canviewnotificationsforuser`: View your notifications\n\nThe following permissions are available if the user is an administrator:\n\n* `btcpay.server.canviewusers`: View users\n* `btcpay.server.cancreateuser`: Create new users\n* `btcpay.server.canmanageusers`: Manage users\n* `btcpay.server.canmodifyserversettings`: Manage your server\n* `btcpay.server.canuseinternallightningnode`: Use the internal lightning node\n* `btcpay.server.canviewlightninginvoiceinternalnode`: View invoices from internal lightning node\n* `btcpay.server.cancreatelightninginvoiceinternalnode`: Create invoices with internal lightning node\n\nThe following permissions applies to all stores of the user, you can limit to a specific store with the following format: ``:\n\n* ``: Modify your stores\n* ``: View exchange accounts linked to your stores\n* ``: Manage exchange accounts linked to your stores\n* ``: Deposit funds to exchange accounts linked to your stores\n* ``: Withdraw funds from exchange accounts to your store\n* ``: Trade funds on your store's exchange accounts\n* ``: Modify stores webhooks\n* ``: View your stores\n* ``: Create an invoice\n* ``: View invoices\n* ``: Modify invoices\n* ``: Modify your payment requests\n* ``: View your payment requests\n* ``: Manage your pull payments\n* ``: Archive your pull payments\n* ``: Create pull payments\n* ``: Create non-approved pull payments\n* ``: Use the lightning nodes associated with your stores\n* ``: View the lightning invoices associated with your stores\n* ``: Create invoices from the lightning nodes associated with your stores\n\nNote that API Keys only limits permission of a user and can never expand it. If an API Key has the permission `btcpay.server.canmodifyserversettings` but that the user account creating this API Key is not administrator, the API Key will not be able to modify the server settings.\nSome permissions may include other permissions, see [this operation](#operation/permissionsMetadata).\n",
"name": "Authorization",
"in": "header"
@ -243,7 +243,7 @@
"security": [
"API_Key": [
"Basic": []
Reference in New Issue
Block a user