feat: Prevent non-owners from using '*'

near · Feb 7, 2024 · 11d61f6 · 11d61f6
1 parent 9e92f71
commit 11d61f6
Showing 1 changed file with 71 additions and 0 deletions.
diff --git a/registry/contract/src/lib.rs b/registry/contract/src/lib.rs
@@ -268,6 +268,22 @@ impl Contract {
             &account_id
         );
 
+        match &rule {
+            Rule::ActionAny {
+                affected_account_id,
+                ..
+            }
+            | Rule::ActionFunctionCall {
+                affected_account_id,
+                ..
+            } => {
+                if affected_account_id == "*" {
+                    self.assert_roles(vec![Role::Owner]);
+                }
+            }
+            _ => {}
+        }
+
         let account_indexers =
             self.registry
                 .entry(account_id.clone())
@@ -331,6 +347,22 @@ impl Contract {
                         env::panic_str(&format!("Invalid filter JSON {}", e));
                     });
 
+                match &filter_rule.matching_rule {
+                    MatchingRule::ActionAny {
+                        affected_account_id,
+                        ..
+                    }
+                    | MatchingRule::ActionFunctionCall {
+                        affected_account_id,
+                        ..
+                    } => {
+                        if affected_account_id == "*" {
+                            self.assert_roles(vec![Role::Owner]);
+                        }
+                    }
+                    _ => {}
+                }
+
                 filter_rule
             }
             None => Contract::near_social_indexer_rule(),
@@ -1235,6 +1267,45 @@ mod tests {
         );
     }
 
+    #[test]
+    #[should_panic(expected = "Account bob.near does not have one of required roles [Owner]")]
+    fn prevents_non_owners_from_using_wildcard() {
+        let mut contract = Contract::default();
+        contract.account_roles.push(AccountRole {
+            account_id: "bob.near".parse().unwrap(),
+            role: Role::User,
+        });
+
+        contract.register_indexer_function(
+            String::from("name"),
+            String::from("code"),
+            Some(0),
+            Some(String::from("schema")),
+            None,
+            Some(r#"{"indexer_rule_kind":"Action","matching_rule":{"rule":"ACTION_ANY","affected_account_id":"*","status":"SUCCESS"}}"#.to_string()),
+        );
+    }
+
+    #[test]
+    fn allows_owners_to_use_wildcard() {
+        let mut contract = Contract::default();
+        contract.account_roles.push(AccountRole {
+            account_id: "bob.near".parse().unwrap(),
+            role: Role::Owner,
+        });
+
+        contract.register_indexer_function(
+            String::from("name"),
+            String::from("code"),
+            Some(0),
+            Some(String::from("schema")),
+            None,
+            Some(r#"{"indexer_rule_kind":"Action","matching_rule":{"rule":"ACTION_ANY","affected_account_id":"*","status":"SUCCESS"}}"#.to_string()),
+        );
+
+        assert_eq!(contract.registry.len(), 1);
+    }
+
     #[test]
     fn users_can_remove_their_own_functions() {
         let account_id = "bob.near".parse::<AccountId>().unwrap();