Require that add/remove admin transactions can only be created by group members.

For regular groups, we require that the owner adds/removes the admins, so group membership is adequately checked. However for null-owned groups this check is skipped. So we need an additional condition to prevent non-group members from issuing a transaction for approval by the group admins.
2025-03-13 11:12:31 +00:00 · 2022-09-19 16:34:31 +01:00 · 2022-09-19 16:34:31 +01:00 · 93fd80e289
commit 93fd80e289
parent 5581b83c57
2 changed files with 8 additions and 0 deletions
--- a/src/main/java/org/qortal/transaction/AddGroupAdminTransaction.java
+++ b/src/main/java/org/qortal/transaction/AddGroupAdminTransaction.java
@ -79,6 +79,10 @@ public class AddGroupAdminTransaction extends Transaction {
 		if (!this.repository.getGroupRepository().memberExists(groupId, memberAddress))
 			return ValidationResult.NOT_GROUP_MEMBER;

+		// Check transaction creator is a group member
+		if (!this.repository.getGroupRepository().memberExists(groupId, this.getCreator().getAddress()))
+			return ValidationResult.NOT_GROUP_MEMBER;
+
 		// Check group member is not already an admin
 		if (this.repository.getGroupRepository().adminExists(groupId, memberAddress))
 			return ValidationResult.ALREADY_GROUP_ADMIN;
--- a/src/main/java/org/qortal/transaction/RemoveGroupAdminTransaction.java
+++ b/src/main/java/org/qortal/transaction/RemoveGroupAdminTransaction.java
@ -77,6 +77,10 @@ public class RemoveGroupAdminTransaction extends Transaction {
 		if (!groupOwnedByNullAccount && !owner.getAddress().equals(groupOwner))
 			return ValidationResult.INVALID_GROUP_OWNER;

+		// Check transaction creator is a group member
+		if (!this.repository.getGroupRepository().memberExists(groupId, this.getCreator().getAddress()))
+			return ValidationResult.NOT_GROUP_MEMBER;
+
 		Account admin = getAdmin();

 		// Check member is an admin