From 11d61f6944f4ae9a989aa068bf5a389f17ee6b1b Mon Sep 17 00:00:00 2001
From: Morgan Mccauley <morgan@mccauley.co.nz>
Date: Wed, 7 Feb 2024 15:08:42 +1300
Subject: [PATCH] feat: Prevent non-owners from using '*'

---
 registry/contract/src/lib.rs | 71 ++++++++++++++++++++++++++++++++++++
 1 file changed, 71 insertions(+)

diff --git a/registry/contract/src/lib.rs b/registry/contract/src/lib.rs
index 38a9909eb..f33835461 100644
--- a/registry/contract/src/lib.rs
+++ b/registry/contract/src/lib.rs
@@ -268,6 +268,22 @@ impl Contract {
             &account_id
         );
 
+        match &rule {
+            Rule::ActionAny {
+                affected_account_id,
+                ..
+            }
+            | Rule::ActionFunctionCall {
+                affected_account_id,
+                ..
+            } => {
+                if affected_account_id == "*" {
+                    self.assert_roles(vec![Role::Owner]);
+                }
+            }
+            _ => {}
+        }
+
         let account_indexers =
             self.registry
                 .entry(account_id.clone())
@@ -331,6 +347,22 @@ impl Contract {
                         env::panic_str(&format!("Invalid filter JSON {}", e));
                     });
 
+                match &filter_rule.matching_rule {
+                    MatchingRule::ActionAny {
+                        affected_account_id,
+                        ..
+                    }
+                    | MatchingRule::ActionFunctionCall {
+                        affected_account_id,
+                        ..
+                    } => {
+                        if affected_account_id == "*" {
+                            self.assert_roles(vec![Role::Owner]);
+                        }
+                    }
+                    _ => {}
+                }
+
                 filter_rule
             }
             None => Contract::near_social_indexer_rule(),
@@ -1235,6 +1267,45 @@ mod tests {
         );
     }
 
+    #[test]
+    #[should_panic(expected = "Account bob.near does not have one of required roles [Owner]")]
+    fn prevents_non_owners_from_using_wildcard() {
+        let mut contract = Contract::default();
+        contract.account_roles.push(AccountRole {
+            account_id: "bob.near".parse().unwrap(),
+            role: Role::User,
+        });
+
+        contract.register_indexer_function(
+            String::from("name"),
+            String::from("code"),
+            Some(0),
+            Some(String::from("schema")),
+            None,
+            Some(r#"{"indexer_rule_kind":"Action","matching_rule":{"rule":"ACTION_ANY","affected_account_id":"*","status":"SUCCESS"}}"#.to_string()),
+        );
+    }
+
+    #[test]
+    fn allows_owners_to_use_wildcard() {
+        let mut contract = Contract::default();
+        contract.account_roles.push(AccountRole {
+            account_id: "bob.near".parse().unwrap(),
+            role: Role::Owner,
+        });
+
+        contract.register_indexer_function(
+            String::from("name"),
+            String::from("code"),
+            Some(0),
+            Some(String::from("schema")),
+            None,
+            Some(r#"{"indexer_rule_kind":"Action","matching_rule":{"rule":"ACTION_ANY","affected_account_id":"*","status":"SUCCESS"}}"#.to_string()),
+        );
+
+        assert_eq!(contract.registry.len(), 1);
+    }
+
     #[test]
     fn users_can_remove_their_own_functions() {
         let account_id = "bob.near".parse::<AccountId>().unwrap();