From 93fd80e289b9923e348c87bcd4e089d340215cb2 Mon Sep 17 00:00:00 2001
From: CalDescent <caldescent@protonmail.com>
Date: Mon, 19 Sep 2022 16:34:31 +0100
Subject: [PATCH] Require that add/remove admin transactions can only be
 created by group members.

For regular groups, we require that the owner adds/removes the admins, so group membership is adequately checked. However for null-owned groups this check is skipped. So we need an additional condition to prevent non-group members from issuing a transaction for approval by the group admins.
---
 .../java/org/qortal/transaction/AddGroupAdminTransaction.java | 4 ++++
 .../org/qortal/transaction/RemoveGroupAdminTransaction.java   | 4 ++++
 2 files changed, 8 insertions(+)

diff --git a/src/main/java/org/qortal/transaction/AddGroupAdminTransaction.java b/src/main/java/org/qortal/transaction/AddGroupAdminTransaction.java
index 3cd9845d..f38638c5 100644
--- a/src/main/java/org/qortal/transaction/AddGroupAdminTransaction.java
+++ b/src/main/java/org/qortal/transaction/AddGroupAdminTransaction.java
@@ -79,6 +79,10 @@ public class AddGroupAdminTransaction extends Transaction {
 		if (!this.repository.getGroupRepository().memberExists(groupId, memberAddress))
 			return ValidationResult.NOT_GROUP_MEMBER;
 
+		// Check transaction creator is a group member
+		if (!this.repository.getGroupRepository().memberExists(groupId, this.getCreator().getAddress()))
+			return ValidationResult.NOT_GROUP_MEMBER;
+
 		// Check group member is not already an admin
 		if (this.repository.getGroupRepository().adminExists(groupId, memberAddress))
 			return ValidationResult.ALREADY_GROUP_ADMIN;
diff --git a/src/main/java/org/qortal/transaction/RemoveGroupAdminTransaction.java b/src/main/java/org/qortal/transaction/RemoveGroupAdminTransaction.java
index 8d538143..043b5423 100644
--- a/src/main/java/org/qortal/transaction/RemoveGroupAdminTransaction.java
+++ b/src/main/java/org/qortal/transaction/RemoveGroupAdminTransaction.java
@@ -77,6 +77,10 @@ public class RemoveGroupAdminTransaction extends Transaction {
 		if (!groupOwnedByNullAccount && !owner.getAddress().equals(groupOwner))
 			return ValidationResult.INVALID_GROUP_OWNER;
 
+		// Check transaction creator is a group member
+		if (!this.repository.getGroupRepository().memberExists(groupId, this.getCreator().getAddress()))
+			return ValidationResult.NOT_GROUP_MEMBER;
+
 		Account admin = getAdmin();
 
 		// Check member is an admin