add protection to delete and modify son object only if owner

2019-09-25 18:17:42 -03:00 · 2019-09-25 18:17:42 -03:00 · 17dfc6af64
commit 17dfc6af64
parent 3a4445b20c
2 changed files with 86 additions and 1 deletions
--- a/libraries/chain/son_evaluator.cpp
+++ b/libraries/chain/son_evaluator.cpp
@ -31,6 +31,7 @@ object_id_type create_son_evaluator::do_apply(const son_create_operation& op)
 void_result update_son_evaluator::do_evaluate(const son_update_operation& op)
 { try {
    FC_ASSERT(db().head_block_time() >= HARDFORK_SON_TIME, "Not allowed until SON HARDFORK"); // can be removed after HF date pass
+    FC_ASSERT(db().get(op.son_id).son_member_account == op.owner_account);
    const auto& idx = db().get_index_type<son_member_index>().indices().get<by_id>();
    FC_ASSERT( idx.find(op.son_id) != idx.end() );
    return void_result();
@ -52,6 +53,7 @@ object_id_type update_son_evaluator::do_apply(const son_update_operation& op)
 void_result delete_son_evaluator::do_evaluate(const son_delete_operation& op)
 { try {
    FC_ASSERT(db().head_block_time() >= HARDFORK_SON_TIME, "Not allowed until SON_HARDFORK"); // can be removed after HF date pass
+    FC_ASSERT(db().get(op.son_id).son_member_account == op.owner_account);
    const auto& idx = db().get_index_type<son_member_index>().indices().get<by_id>();
    FC_ASSERT( idx.find(op.son_id) != idx.end() );
    return void_result();
--- a/tests/tests/son_operations_tests.cpp
+++ b/tests/tests/son_operations_tests.cpp
@ -85,7 +85,7 @@ BOOST_AUTO_TEST_CASE( update_son_test ){
   BOOST_CHECK( id == obj->id );
 }

-BOOST_AUTO_TEST_CASE( delete_son_test ){
+BOOST_AUTO_TEST_CASE( delete_son_test ) {
   INVOKE(create_son_test);
   test_delete_son_member_evaluator test_eval( db );

@ -100,4 +100,87 @@ BOOST_AUTO_TEST_CASE( delete_son_test ){
   BOOST_REQUIRE( idx.empty() );
 }

+BOOST_AUTO_TEST_CASE( update_delete_not_own ) { // fee payer needs to be the son object owner
+try {
+   generate_blocks(HARDFORK_SON_TIME);
+   while (db.head_block_time() <= HARDFORK_SON_TIME) {
+      generate_block();
+   }
+   generate_block();
+   set_expiration(db, trx);
+
+   ACTORS((alice)(bob));
+
+   upgrade_to_lifetime_member(alice);
+   upgrade_to_lifetime_member(bob);
+
+   set_expiration(db, trx);
+   std::string test_url = "https://create_son_test";
+
+   // alice became son
+   {
+      son_create_operation op;
+      op.owner_account = alice_id;
+      op.url = test_url;
+      trx.operations.push_back(op);
+      sign(trx, alice_private_key);
+      PUSH_TX(db, trx, ~0);
+   }
+   generate_block();
+
+   set_expiration(db, trx);
+   trx.clear();
+
+   const auto& idx = db.get_index_type<son_member_index>().indices().get<by_account>();
+   BOOST_REQUIRE( idx.size() == 1 );
+   auto obj = idx.find( alice_id );
+   BOOST_REQUIRE( obj != idx.end() );
+   BOOST_CHECK( obj->url == test_url );
+
+   // bob tries to update a son object he dont own
+   {
+      son_update_operation op;
+      op.owner_account = bob_id;
+      op.new_url = "whatever";
+      op.son_id = son_id_type(0);
+
+      trx.operations.push_back(op);
+      sign(trx, bob_private_key);
+      GRAPHENE_REQUIRE_THROW(PUSH_TX( db, trx ), fc::exception);
+   }
+   generate_block();
+
+   set_expiration(db, trx);
+   trx.clear();
+
+   obj = idx.find( alice_id );
+   BOOST_REQUIRE( obj != idx.end() );
+   // not changing
+   BOOST_CHECK( obj->url == "https://create_son_test" );
+
+   // bob tries to delete a son object he dont own
+   {
+      son_delete_operation op;
+      op.owner_account = bob_id;
+      op.son_id = son_id_type(0);
+
+      trx.operations.push_back(op);
+      sign(trx, bob_private_key);
+      GRAPHENE_REQUIRE_THROW(PUSH_TX( db, trx ), fc::exception);
+
+   }
+   generate_block();
+
+   obj = idx.find( alice_id );
+   // not deleting
+   BOOST_REQUIRE( obj != idx.end() );
+   BOOST_CHECK( obj->son_member_account.instance ==  alice_id.instance);
+
+}
+catch (fc::exception &e) {
+   edump((e.to_detail_string()));
+   throw;
+}
+}
+
 BOOST_AUTO_TEST_SUITE_END()