poanetwork
/
quorum
mirror of https://github.com/poanetwork/quorum.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

permissions: added checks to ensure that a role cannot be removed when active accounts are linked to it.

This commit is contained in:
vsmk98 2019-05-08 11:30:06 +08:00
parent 8e57f36013
commit 9d844b9dbf
3 changed files with 29 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
controls/permission/RoleManager.sol
View File

@ -32,7 +32,16 @@ contract RoleManager {
function roleExists(string memory _roleId, string memory _orgId, string memory _ultParent) public view returns (bool)
{
return ((roleIndex[keccak256(abi.encodePacked(_roleId, _orgId))] != 0) || (roleIndex[keccak256(abi.encodePacked(_roleId, _ultParent))] != 0));
uint id;
if (roleIndex[keccak256(abi.encodePacked(_roleId, _orgId))] != 0) {
id = getRoleIndex(_roleId, _orgId);
return roleList[id].active;
}
else if (roleIndex[keccak256(abi.encodePacked(_roleId, _ultParent))] != 0) {
id = getRoleIndex(_roleId, _ultParent);
return roleList[id].active;
}
return false;
}
function getRoleDetails(string calldata _roleId, string calldata _orgId) external view returns (string memory roleId, string memory orgId, uint accessType, bool voter, bool active)

21
core/quorum/api.go
View File

@ -361,6 +361,18 @@ func (s *QuorumControlsAPI) valNodeStatusChange(orgId, url string, op int64) (Ex
return ExecSuccess, nil
}
func (s *QuorumControlsAPI) validateRole(orgId, roleId string) bool {
var r *types.RoleInfo
r = types.RoleInfoMap.GetRole(orgId, roleId)
if r == nil {
r = types.RoleInfoMap.GetRole(types.OrgInfoMap.GetOrg(orgId).UltimateParent, roleId)
}
if r != nil {
log.Info("SMK-validateRole @370", "roleId", r.RoleId, "status", r.Active)
}
return r != nil && r.Active
}
func (s *QuorumControlsAPI) valAccountStatusChange(orgId string, account common.Address, op int64) (ExecStatus, error) {
// validates if the enode is linked the passed organization
ac := types.AcctInfoMap.GetAccount(account)
@ -715,12 +727,9 @@ func (s *QuorumControlsAPI) executePermAction(action PermAction, args txArgs) Ex
return execStatus
}
// check if the role is part of the org
if types.RoleInfoMap.GetRole(args.orgId, args.roleId) == nil {
// check if the role is existing at master org level
if types.RoleInfoMap.GetRole(types.OrgInfoMap.GetOrg(args.orgId).UltimateParent, args.roleId) == nil {
return ErrRoleDoesNotExist
}
// check if the role is valid
if !s.validateRole(args.orgId, args.roleId) {
return ErrInvalidRole
}
// check if the account is part of another org

7
core/types/permissions_cache.go
View File

@ -335,7 +335,8 @@ func (a *AcctCache) GetAcctListRole(orgId, roleId string) []AccountInfo {
for _, k := range a.c.Keys() {
v, _ := a.c.Get(k)
vp := v.(*AccountInfo)
if vp.OrgId == orgId && vp.RoleId == roleId {
if vp.RoleId == roleId && (vp.OrgId == orgId || OrgInfoMap.GetOrg(vp.OrgId).UltimateParent == orgId) {
alist = append(alist, *vp)
}
}
@ -378,10 +379,10 @@ func GetAcctAccess(acctId common.Address) AccessType {
return FullAccess
}
if o := OrgInfoMap.GetOrg(a.OrgId); o != nil && o.Status == OrgApproved {
if r := RoleInfoMap.GetRole(a.OrgId, a.RoleId); r != nil {
if r := RoleInfoMap.GetRole(a.OrgId, a.RoleId); r != nil && r.Active {
return r.Access
}
if r := RoleInfoMap.GetRole(o.UltimateParent, a.RoleId); r != nil {
if r := RoleInfoMap.GetRole(o.UltimateParent, a.RoleId); r != nil && r.Active {
return r.Access
}
}