only allows admins to use custom themes

lnbits/extensions/satspay/migrations.py

@@ -38,7 +38,7 @@ async def m002_add_charge_extra_data(db):
         """
     )
 
-async def m002_add_themes_table(db):
+async def m003_add_themes_table(db):
     """
     Themes table
     """
@@ -55,7 +55,7 @@ async def m002_add_themes_table(db):
     )
 
 
-async def m003_add_custom_css_to_charges(db):
+async def m004_add_custom_css_to_charges(db):
     """
     Add custom css option column to the 'charges' table
     """

lnbits/extensions/satspay/templates/satspay/index.html

@@ -10,11 +10,20 @@
         </q-btn>
 
         <q-btn
+          v-if="admin == 'True'"
           unelevated
           color="primary"
           @click="getThemes();formDialogThemes.show = true"
           >New CSS Theme
         </q-btn>
+        <q-btn
+          v-else
+          disable
+          unelevated
+          color="primary"
+          @click="getThemes();formDialogThemes.show = true"
+          >New CSS Theme
+        <q-tooltip>For security reason, custom css is only available to server admins.</q-tooltip></q-btn>
       </q-card-section>
     </q-card>
 
@@ -267,7 +276,7 @@
       </q-card-section>
     </q-card>
 
-    <q-card>
+    <q-card  v-if="admin == 'True'">
       <q-card-section>
         <div class="row items-center no-wrap q-mb-md">
           <div class="col">
@@ -522,6 +531,7 @@
       return {
         settings: {},
         filter: '',
+        admin: '{{ admin }}',
         balance: null,
         walletLinks: [],
         chargeLinks: [],
@@ -938,6 +948,7 @@
       }
     },
     created: async function () {
+      console.log(this.admin)
       await this.getThemes()
       await this.getCharges()
       await this.getWalletConfig()

lnbits/extensions/satspay/views.py

@@ -10,17 +10,20 @@ from starlette.responses import HTMLResponse
 from lnbits.core.models import User
 from lnbits.decorators import check_user_exists
 from lnbits.extensions.satspay.helpers import public_charge
+from lnbits.settings import LNBITS_ADMIN_USERS
 
 from . import satspay_ext, satspay_renderer
-from .crud import get_charge, get_charge_config, get_themes, get_theme
+from .crud import get_charge, get_theme
 
 templates = Jinja2Templates(directory="templates")
 
-
 @satspay_ext.get("/", response_class=HTMLResponse)
 async def index(request: Request, user: User = Depends(check_user_exists)):
+    admin = False
+    if LNBITS_ADMIN_USERS and user.id not in LNBITS_ADMIN_USERS:
+        admin = True
     return satspay_renderer().TemplateResponse(
-        "satspay/index.html", {"request": request, "user": user.dict()}
+        "satspay/index.html", {"request": request, "user": user.dict(), "admin": admin}
     )
 
 

lnbits/extensions/satspay/views_api.py

@@ -15,6 +15,11 @@ from lnbits.decorators import (
 )
 from lnbits.extensions.satspay import satspay_ext
 
+from lnbits.settings import (
+    LNBITS_ADMIN_EXTENSIONS,
+    LNBITS_ADMIN_USERS,
+)
+
 from .crud import (
     check_address_balance,
     create_charge,
@@ -157,6 +162,11 @@ async def api_themes_save(
     wallet: WalletTypeInfo = Depends(require_invoice_key),
     css_id: str = None,
 ):
+    if LNBITS_ADMIN_USERS and wallet.wallet.user not in LNBITS_ADMIN_USERS:
+        raise HTTPException(
+            status_code=HTTPStatus.FORBIDDEN,
+            detail="Only server admins can create themes.",
+        )
     if css_id:
         theme = await save_theme(css_id=css_id, data=data)
     else: