fix: use check_admin for approval endpoints, not require_admin_key

require_admin_key only checks that the API key is a wallet admin key, which ANY user has. check_admin verifies the user is a LNbits admin (super_user or lnbits_admin_users). JS updated to omit API key on admin endpoints, relying on session cookie auth instead. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-27 11:27:21 +02:00 · 2026-04-27 11:27:21 +02:00 · c1e66fbf7f
commit c1e66fbf7f
parent 7843da21d8
2 changed files with 14 additions and 17 deletions
--- a/static/js/index.js
+++ b/static/js/index.js
@ -122,8 +122,7 @@ window.app = Vue.createApp({
          LNbits.api
            .request(
              'PUT',
-              '/events/api/v1/events/' + eventId + '/approve',
-              this.g.user.wallets[0].adminkey
+              '/events/api/v1/events/' + eventId + '/approve'
            )
            .then(() => {
              this.$q.notify({
@ -145,8 +144,7 @@ window.app = Vue.createApp({
          LNbits.api
            .request(
              'PUT',
-              '/events/api/v1/events/' + eventId + '/reject',
-              this.g.user.wallets[0].adminkey
+              '/events/api/v1/events/' + eventId + '/reject'
            )
            .then(() => {
              this.$q.notify({
@ -207,8 +205,7 @@ window.app = Vue.createApp({
      LNbits.api
        .request(
          'GET',
-          '/events/api/v1/events/all',
-          this.g.user.wallets[0].adminkey
+          '/events/api/v1/events/all'
        )
        .then(response => {
          this.events = response.data.map(obj => {
@ -236,8 +233,7 @@ window.app = Vue.createApp({
      LNbits.api
        .request(
          'GET',
-          '/events/api/v1/events/pending',
-          this.g.user.wallets[0].adminkey
+          '/events/api/v1/events/pending'
        )
        .then(response => {
          this.pendingEvents = response.data.map(obj => {