Payment-providers Management API endpoint requires Settings section access instead of Commerce section access #782
Description
Which component is this issue related to?
Payment Provider
Which Umbraco Commerce version are you using? (Please write the exact version, example: 10.1.0)
16.2.2
Bug summary
The /umbraco/commerce/management/api/v1/payment-providers Management API endpoint uses [Authorize(Policy = "SectionAccessSettings")], which
prevents Commerce section users from accessing payment provider information. This causes the order editor UI to fail when loading Capture/Refund
buttons for non-admin users.
According to the official documentation, Commerce users should only
need Commerce and Content section access - NOT Settings section access.
Specifics
Console Error
When a Commerce user (without Settings access) opens an order:
GET https://[domain]/umbraco/commerce/management/api/v1/payment-providers 403 (Forbidden)
[UmbTryExecuteController] Error in request: UmbApiError: Unknown error
Decompiled Code Analysis
Using dotPeek to inspect Umbraco.Commerce.Cms.Web.Api.Management.dll reveals:
GetPaymentProviderByAliasManagementApiController.cs:
[ApiVersion("1.0")]
[VersionedManagementApiRoute("payment-providers")]
[ApiExplorerSettings(GroupName = "Payment Provider")]
[Authorize(Policy = "SectionAccessSettings")] // ← This is the problem
public class GetPaymentProviderByAliasManagementApiController :
UmbracoCommerceManagementApiControllerBaseComparison with Other Endpoints
Other Commerce endpoints use more appropriate policies:
GetPaymentMethodsManagementApiController.cs:
[Authorize(Policy = "BackOfficeAccess")]
Impact
- Order editor UI cannot display Capture/Refund buttons for Commerce users
- Users see "Unknown error" in the UI
- Admin users are unaffected (they have Settings access by default)
Steps to reproduce
1. Create a fresh Umbraco 16 installation with Umbraco Commerce 16.2.2
2. Set up a payment provider (e.g., Nets, Stripe)
3. Create a custom user group named "Commerce Users"
4. Grant the user group access to **Commerce** and **Content** sections only (NOT Settings)
5. Create a test user and assign them to the "Commerce Users" group
6. Log in as the test user
7. Navigate to Commerce → Orders
8. Click on any completed order to open the order editor
9. Open browser developer console (F12)
10. Observe the 403 Forbidden error for `/umbraco/commerce/management/api/v1/payment-providers`
11. Observe that Capture/Refund buttons are not displayed
### Expected result / actual result
### Expected Result
- Commerce users with Commerce section access should be able to:
- View payment provider information
- See Capture/Refund buttons in order editor
- Perform order management tasks without Settings section access
- The payment-providers endpoint should use one of these authorization policies:
- `[Authorize(Policy = "BackOfficeAccess")]` (like payment-methods endpoint)
- OR a Commerce-specific policy like `"SectionAccessCommerce"`
### Actual Result
- Commerce users get 403 Forbidden when accessing payment-providers endpoint
- Order editor displays "Unknown error"
- Capture/Refund buttons are not rendered
- Only workaround is to grant Settings section access, which gives excessive permissions to store configuration, document types, data types, etc.
### Dependencies
Dependencies:
- Umbraco CMS: 16.2.0
- Umbraco.Commerce: 16.2.2
- Umbraco.Commerce.PaymentProviders.Nets: 16.0.0