mirror of https://github.com/poanetwork/quorum.git
permissions: added checks to ensure that a role cannot be removed when active accounts are linked to it.
This commit is contained in:
parent
8e57f36013
commit
9d844b9dbf
|
@ -32,7 +32,16 @@ contract RoleManager {
|
|||
|
||||
function roleExists(string memory _roleId, string memory _orgId, string memory _ultParent) public view returns (bool)
|
||||
{
|
||||
return ((roleIndex[keccak256(abi.encodePacked(_roleId, _orgId))] != 0) || (roleIndex[keccak256(abi.encodePacked(_roleId, _ultParent))] != 0));
|
||||
uint id;
|
||||
if (roleIndex[keccak256(abi.encodePacked(_roleId, _orgId))] != 0) {
|
||||
id = getRoleIndex(_roleId, _orgId);
|
||||
return roleList[id].active;
|
||||
}
|
||||
else if (roleIndex[keccak256(abi.encodePacked(_roleId, _ultParent))] != 0) {
|
||||
id = getRoleIndex(_roleId, _ultParent);
|
||||
return roleList[id].active;
|
||||
}
|
||||
return false;
|
||||
}
|
||||
|
||||
function getRoleDetails(string calldata _roleId, string calldata _orgId) external view returns (string memory roleId, string memory orgId, uint accessType, bool voter, bool active)
|
||||
|
|
|
@ -361,6 +361,18 @@ func (s *QuorumControlsAPI) valNodeStatusChange(orgId, url string, op int64) (Ex
|
|||
return ExecSuccess, nil
|
||||
}
|
||||
|
||||
func (s *QuorumControlsAPI) validateRole(orgId, roleId string) bool {
|
||||
var r *types.RoleInfo
|
||||
r = types.RoleInfoMap.GetRole(orgId, roleId)
|
||||
if r == nil {
|
||||
r = types.RoleInfoMap.GetRole(types.OrgInfoMap.GetOrg(orgId).UltimateParent, roleId)
|
||||
}
|
||||
if r != nil {
|
||||
log.Info("SMK-validateRole @370", "roleId", r.RoleId, "status", r.Active)
|
||||
}
|
||||
return r != nil && r.Active
|
||||
}
|
||||
|
||||
func (s *QuorumControlsAPI) valAccountStatusChange(orgId string, account common.Address, op int64) (ExecStatus, error) {
|
||||
// validates if the enode is linked the passed organization
|
||||
ac := types.AcctInfoMap.GetAccount(account)
|
||||
|
@ -715,12 +727,9 @@ func (s *QuorumControlsAPI) executePermAction(action PermAction, args txArgs) Ex
|
|||
return execStatus
|
||||
}
|
||||
|
||||
// check if the role is part of the org
|
||||
if types.RoleInfoMap.GetRole(args.orgId, args.roleId) == nil {
|
||||
// check if the role is existing at master org level
|
||||
if types.RoleInfoMap.GetRole(types.OrgInfoMap.GetOrg(args.orgId).UltimateParent, args.roleId) == nil {
|
||||
return ErrRoleDoesNotExist
|
||||
}
|
||||
// check if the role is valid
|
||||
if !s.validateRole(args.orgId, args.roleId) {
|
||||
return ErrInvalidRole
|
||||
}
|
||||
|
||||
// check if the account is part of another org
|
||||
|
|
|
@ -335,7 +335,8 @@ func (a *AcctCache) GetAcctListRole(orgId, roleId string) []AccountInfo {
|
|||
for _, k := range a.c.Keys() {
|
||||
v, _ := a.c.Get(k)
|
||||
vp := v.(*AccountInfo)
|
||||
if vp.OrgId == orgId && vp.RoleId == roleId {
|
||||
|
||||
if vp.RoleId == roleId && (vp.OrgId == orgId || OrgInfoMap.GetOrg(vp.OrgId).UltimateParent == orgId) {
|
||||
alist = append(alist, *vp)
|
||||
}
|
||||
}
|
||||
|
@ -378,10 +379,10 @@ func GetAcctAccess(acctId common.Address) AccessType {
|
|||
return FullAccess
|
||||
}
|
||||
if o := OrgInfoMap.GetOrg(a.OrgId); o != nil && o.Status == OrgApproved {
|
||||
if r := RoleInfoMap.GetRole(a.OrgId, a.RoleId); r != nil {
|
||||
if r := RoleInfoMap.GetRole(a.OrgId, a.RoleId); r != nil && r.Active {
|
||||
return r.Access
|
||||
}
|
||||
if r := RoleInfoMap.GetRole(o.UltimateParent, a.RoleId); r != nil {
|
||||
if r := RoleInfoMap.GetRole(o.UltimateParent, a.RoleId); r != nil && r.Active {
|
||||
return r.Access
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue