From 5f4fa61310e756ab0fa0490688a774a6b5f37475 Mon Sep 17 00:00:00 2001
From: callebtc <93376500+callebtc@users.noreply.github.com>
Date: Wed, 7 Dec 2022 14:56:45 +0100
Subject: [PATCH 1/3] refactor:depend_admin_user

---
 lnbits/core/views/api.py               | 15 ++++-----------
 lnbits/decorators.py                   | 17 +++++++++++++++++
 lnbits/extensions/satspay/views_api.py | 11 ++---------
 3 files changed, 23 insertions(+), 20 deletions(-)

diff --git a/lnbits/core/views/api.py b/lnbits/core/views/api.py
index 995cf9e70..c448a6ab9 100644
--- a/lnbits/core/views/api.py
+++ b/lnbits/core/views/api.py
@@ -34,11 +34,12 @@ from lnbits.core.models import Payment, Wallet
 from lnbits.decorators import (
     WalletTypeInfo,
     get_key_type,
+    require_admin_user,
     require_admin_key,
     require_invoice_key,
 )
 from lnbits.helpers import url_for, urlsafe_short_hash
-from lnbits.settings import LNBITS_ADMIN_USERS, LNBITS_SITE_TITLE, WALLET
+from lnbits.settings import LNBITS_SITE_TITLE, WALLET
 from lnbits.utils.exchange_rates import (
     currencies,
     fiat_amount_as_satoshis,
@@ -84,12 +85,8 @@ async def api_wallet(wallet: WalletTypeInfo = Depends(get_key_type)):
 
 @core_app.put("/api/v1/wallet/balance/{amount}")
 async def api_update_balance(
-    amount: int, wallet: WalletTypeInfo = Depends(get_key_type)
+    amount: int, wallet: WalletTypeInfo = Depends(require_admin_user)
 ):
-    if wallet.wallet.user not in LNBITS_ADMIN_USERS:
-        raise HTTPException(
-            status_code=HTTPStatus.FORBIDDEN, detail="Not an admin user"
-        )
 
     payHash = urlsafe_short_hash()
     await create_payment(
@@ -687,11 +684,7 @@ async def img(request: Request, data):
 
 
 @core_app.get("/api/v1/audit")
-async def api_auditor(wallet: WalletTypeInfo = Depends(get_key_type)):
-    if wallet.wallet.user not in LNBITS_ADMIN_USERS:
-        raise HTTPException(
-            status_code=HTTPStatus.FORBIDDEN, detail="Not an admin user"
-        )
+async def api_auditor(wallet: WalletTypeInfo = Depends(require_admin_user)):
 
     total_balance = await get_total_balance()
     error_message, node_balance = await WALLET.status()
diff --git a/lnbits/decorators.py b/lnbits/decorators.py
index d4aa63aea..b8a3d37c2 100644
--- a/lnbits/decorators.py
+++ b/lnbits/decorators.py
@@ -172,6 +172,23 @@ async def get_key_type(
     )
 
 
+async def require_admin_user(
+    r: Request,
+    api_key_header: str = Security(api_key_header),  # type: ignore
+    api_key_query: str = Security(api_key_query),  # type: ignore
+):
+
+    token = api_key_header or api_key_query
+    wallet = await get_key_type(r, token)
+
+    if wallet.wallet.user not in LNBITS_ADMIN_USERS:
+        raise HTTPException(
+            status_code=HTTPStatus.FORBIDDEN, detail="Not an admin user"
+        )
+    else:
+        return wallet
+
+
 async def require_admin_key(
     r: Request,
     api_key_header: str = Security(api_key_header),  # type: ignore
diff --git a/lnbits/extensions/satspay/views_api.py b/lnbits/extensions/satspay/views_api.py
index 09884040e..67397132d 100644
--- a/lnbits/extensions/satspay/views_api.py
+++ b/lnbits/extensions/satspay/views_api.py
@@ -1,20 +1,18 @@
 import json
 from http import HTTPStatus
 
-import httpx
 from fastapi.params import Depends
 from loguru import logger
 from starlette.exceptions import HTTPException
 
-from lnbits.core.crud import get_wallet
 from lnbits.decorators import (
     WalletTypeInfo,
     get_key_type,
+    require_admin_user,
     require_admin_key,
     require_invoice_key,
 )
 from lnbits.extensions.satspay import satspay_ext
-from lnbits.settings import LNBITS_ADMIN_EXTENSIONS, LNBITS_ADMIN_USERS
 
 from .crud import (
     check_address_balance,
@@ -143,14 +141,9 @@ async def api_charge_balance(charge_id):
 @satspay_ext.post("/api/v1/themes/{css_id}")
 async def api_themes_save(
     data: SatsPayThemes,
-    wallet: WalletTypeInfo = Depends(require_invoice_key),
+    wallet: WalletTypeInfo = Depends(require_admin_user),
     css_id: str = None,
 ):
-    if LNBITS_ADMIN_USERS and wallet.wallet.user not in LNBITS_ADMIN_USERS:
-        raise HTTPException(
-            status_code=HTTPStatus.FORBIDDEN,
-            detail="Only server admins can create themes.",
-        )
     if css_id:
         theme = await save_theme(css_id=css_id, data=data)
     else:

From ab4a9370e749ed697ff6068497afee5b9d6aafb4 Mon Sep 17 00:00:00 2001
From: callebtc <93376500+callebtc@users.noreply.github.com>
Date: Wed, 7 Dec 2022 14:57:10 +0100
Subject: [PATCH 2/3] style: make format

---
 lnbits/core/views/api.py               | 2 +-
 lnbits/extensions/satspay/views_api.py | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/lnbits/core/views/api.py b/lnbits/core/views/api.py
index c448a6ab9..5f2b44bde 100644
--- a/lnbits/core/views/api.py
+++ b/lnbits/core/views/api.py
@@ -34,8 +34,8 @@ from lnbits.core.models import Payment, Wallet
 from lnbits.decorators import (
     WalletTypeInfo,
     get_key_type,
-    require_admin_user,
     require_admin_key,
+    require_admin_user,
     require_invoice_key,
 )
 from lnbits.helpers import url_for, urlsafe_short_hash
diff --git a/lnbits/extensions/satspay/views_api.py b/lnbits/extensions/satspay/views_api.py
index 67397132d..c21f31ecf 100644
--- a/lnbits/extensions/satspay/views_api.py
+++ b/lnbits/extensions/satspay/views_api.py
@@ -8,8 +8,8 @@ from starlette.exceptions import HTTPException
 from lnbits.decorators import (
     WalletTypeInfo,
     get_key_type,
-    require_admin_user,
     require_admin_key,
+    require_admin_user,
     require_invoice_key,
 )
 from lnbits.extensions.satspay import satspay_ext

From a243e4e32019daaa4011acd4d5edd797f6dcd5a0 Mon Sep 17 00:00:00 2001
From: callebtc <93376500+callebtc@users.noreply.github.com>
Date: Mon, 26 Dec 2022 12:12:27 +0100
Subject: [PATCH 3/3] fix: update to latest changes

---
 lnbits/core/views/api.py | 6 +++---
 lnbits/decorators.py     | 2 +-
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/lnbits/core/views/api.py b/lnbits/core/views/api.py
index 1d3d76f12..5f7cbd38a 100644
--- a/lnbits/core/views/api.py
+++ b/lnbits/core/views/api.py
@@ -665,9 +665,9 @@ async def img(request: Request, data):
     )
 
 
-@core_app.get("/api/v1/audit")
-async def api_auditor(wallet: WalletTypeInfo = Depends(require_admin_user)):
-
+@core_app.get("/api/v1/audit", dependencies=[Depends(check_admin)])
+async def api_auditor():
+    WALLET = get_wallet_class()
     total_balance = await get_total_balance()
     error_message, node_balance = await WALLET.status()
 
diff --git a/lnbits/decorators.py b/lnbits/decorators.py
index 7f8e84e6e..3ef9e850e 100644
--- a/lnbits/decorators.py
+++ b/lnbits/decorators.py
@@ -181,7 +181,7 @@ async def require_admin_user(
     token = api_key_header or api_key_query
     wallet = await get_key_type(r, token)
 
-    if wallet.wallet.user not in LNBITS_ADMIN_USERS:
+    if wallet.wallet.user not in settings.lnbits_admin_users:
         raise HTTPException(
             status_code=HTTPStatus.FORBIDDEN, detail="Not an admin user"
         )