fix: remove admin extensions for non admin users

2023-04-05 19:40:16 +03:00 · 2023-04-05 19:40:16 +03:00 · 0d14d2b56e
commit 0d14d2b56e
parent d7e7d89e9a
2 changed files with 14 additions and 2 deletions
--- a/lnbits/core/crud.py
+++ b/lnbits/core/crud.py
@ -62,7 +62,9 @@ async def get_user(user_id: str, conn: Optional[Connection] = None) -> Optional[
    return User(
        id=user["id"],
        email=user["email"],
-        extensions=[e[0] for e in extensions],
+        extensions=[
+            e[0] for e in extensions if User.is_extension_for_user(e[0], user["id"])
+        ],
        wallets=[Wallet(**w) for w in wallets],
        admin=user["id"] == settings.super_user
        or user["id"] in settings.lnbits_admin_users,
--- a/lnbits/core/models.py
+++ b/lnbits/core/models.py
@ -13,7 +13,7 @@ from pydantic import BaseModel

 from lnbits.db import Connection
 from lnbits.helpers import url_for
-from lnbits.settings import get_wallet_class
+from lnbits.settings import get_wallet_class, settings
 from lnbits.wallets.base import PaymentStatus


@ -75,6 +75,16 @@ class User(BaseModel):
        w = [wallet for wallet in self.wallets if wallet.id == wallet_id]
        return w[0] if w else None

+    @classmethod
+    def is_extension_for_user(cls, ext: str, user: str) -> bool:
+        if ext not in settings.lnbits_admin_extensions:
+            return True
+        if user == settings.super_user:
+            return True
+        if user in settings.lnbits_admin_users:
+            return True
+        return False
+

 class Payment(BaseModel):
    checking_id: str