-
Notifications
You must be signed in to change notification settings - Fork 20
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement access control for AccountStore members #3204
base: dev
Are you sure you want to change the base?
Implement access control for AccountStore members #3204
Conversation
d9a4b41
to
8cabe70
Compare
return Err(Error::<T>::NoPermission); | ||
} | ||
}, | ||
_ => return Ok(()), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just wondering: is it better to return error here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Returning Err
means the member account does not have permissions, but that's not the case if it reaches this point.
The permissions for the call are checked at the beginning of the method, the extra checks for add_account
and set_permissions
are to make sure the caller cannot set permissions or add an account with more permissions than it (the caller) has. For all the other calls the permissions have already been checked.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The reason I ask is: ensure_permission
is only called by add_account
and set_permissions
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ensure_permissions
is called on dispatch_as_signed
and dispatch_as_omni_account
(in this case the call to dispatch could be add_account
or set_permissions
for example)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In general, LGTM. Left one comment.
…ore-members-in-the
As topic, this PR introduces an access control mechanism for the OmniAccount (AccountStore) members.