Require that add/remove admin transactions can only be created by group members.

For regular groups, we require that the owner adds/removes the admins, so group membership is adequately checked. However for null-owned groups this check is skipped. So we need an additional condition to prevent non-group members from issuing a transaction for approval by the group admins.
This commit is contained in:
CalDescent 2022-09-19 16:34:31 +01:00
parent 5581b83c57
commit 93fd80e289
2 changed files with 8 additions and 0 deletions

View File

@ -79,6 +79,10 @@ public class AddGroupAdminTransaction extends Transaction {
if (!this.repository.getGroupRepository().memberExists(groupId, memberAddress))
return ValidationResult.NOT_GROUP_MEMBER;
// Check transaction creator is a group member
if (!this.repository.getGroupRepository().memberExists(groupId, this.getCreator().getAddress()))
return ValidationResult.NOT_GROUP_MEMBER;
// Check group member is not already an admin
if (this.repository.getGroupRepository().adminExists(groupId, memberAddress))
return ValidationResult.ALREADY_GROUP_ADMIN;

View File

@ -77,6 +77,10 @@ public class RemoveGroupAdminTransaction extends Transaction {
if (!groupOwnedByNullAccount && !owner.getAddress().equals(groupOwner))
return ValidationResult.INVALID_GROUP_OWNER;
// Check transaction creator is a group member
if (!this.repository.getGroupRepository().memberExists(groupId, this.getCreator().getAddress()))
return ValidationResult.NOT_GROUP_MEMBER;
Account admin = getAdmin();
// Check member is an admin