Require that add/remove admin transactions can only be created by group members.

For regular groups, we require that the owner adds/removes the admins, so group membership is adequately checked. However for null-owned groups this check is skipped. So we need an additional condition to prevent non-group members from issuing a transaction for approval by the group admins.

src/main/java/org/qortal/transaction/AddGroupAdminTransaction.java

@@ -79,6 +79,10 @@ public class AddGroupAdminTransaction extends Transaction {
 		if (!this.repository.getGroupRepository().memberExists(groupId, memberAddress))
 			return ValidationResult.NOT_GROUP_MEMBER;
 
+		// Check transaction creator is a group member
+		if (!this.repository.getGroupRepository().memberExists(groupId, this.getCreator().getAddress()))
+			return ValidationResult.NOT_GROUP_MEMBER;
+
 		// Check group member is not already an admin
 		if (this.repository.getGroupRepository().adminExists(groupId, memberAddress))
 			return ValidationResult.ALREADY_GROUP_ADMIN;

src/main/java/org/qortal/transaction/RemoveGroupAdminTransaction.java

@@ -77,6 +77,10 @@ public class RemoveGroupAdminTransaction extends Transaction {
 		if (!groupOwnedByNullAccount && !owner.getAddress().equals(groupOwner))
 			return ValidationResult.INVALID_GROUP_OWNER;
 
+		// Check transaction creator is a group member
+		if (!this.repository.getGroupRepository().memberExists(groupId, this.getCreator().getAddress()))
+			return ValidationResult.NOT_GROUP_MEMBER;
+
 		Account admin = getAdmin();
 
 		// Check member is an admin