Impact: High
Likelihood: Low
According to the discussion with the team, it is expected that in Space
contracts, only one Role can have the Permissions.Owner permission.
Currently, multiple Roles can be created containing this permission.
This is caused by Space.sol’s createRole() function allowing the
OpenZeppelin owner to create new owner-permissioned roles without limit.
Remediations to consider:
Do not allow multiple roles to be created with the ownership permission.
This could be done with something like: if Space.sol’s ownerRoleId is
set, do not allow new roles to be created with the Permissions.Owner
permission.
Fixes HNT-703 as well
Removing the OpenZeppelin ownership logic, and, checking directly for
the ownership of the Space’s SpaceOwner NFT. The SpaceFactory could be
the owner during the bootstrapping phase, and afterwards, could transfer
the NFT to the proper owner. Doing a direct check like
_spaceOwner().ownerOf(tokenId) == _msgSender() would be safe because
that’s what the owner entitlement is going to check eventually.
---------
Co-authored-by: Kerem Kazan <kerem.kazan@gmail.com>
Overloaded isEntitled func in ISpace.sol and Space.sol caused the generated client types to turn into string names. Renaming one of them to isEntitledToChannel.
- Add new functions to modify role name, permissions, token entitlement
and user entitlement with a single call
- Add new solidity tests for the new functions
- Re-generated TypeScript and Go types for both localhost and goerli
- space manager catches error when adding roleId to channels so that
client can get meaningful error
- Update the createChannel tests to expect the new error AddRoleFailed
- Re-generate localhost and goerli types
Need the address to implement the ZionRoleManagerShim
I ran this in zion-governance/ and it worked :
forge script scripts/Local.s.sol:DeployLocal --rpc-url
http://localhost:8545/ --private-key … --broadcast
space-manager.json has the rolemanager address
This PR finishes changing all the public interfaces at the moment for
space creation and updates the client.
All integration and forge tests passing.
Local and Goerli ABIs generated.
Co-authored-by: g <5714678+giuseppecrj@users.noreply.github.com>
This change updates token entitlement data structures and allows for
multiple tokens to be set for a single role, permitting the AND
operation for multiple token requirements.
It also decodes structs when creating a space and setting a new token
entitlement.
Added new tests for multiple tokens gating a role.
Also generates localhost AND Goerli ABIs.
Forge and integration tests all pass
Pulls in upstream latest changes from [dendrite-fork
](https://github.com/HereNotThere/dendrite)to subtree at
servers/dendrite here.
Co-authored-by: Tak Wai Wong <64229756+tak-hntlabs@users.noreply.github.com>
Co-authored-by: Tak Wai Wong <tak@hntlabs.com>
Co-authored-by: John Terzis <john@hntlabs.com>
