Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow AccessControl role hierarchy to be defined at runtime #2165

Closed
alcueca opened this issue Apr 2, 2020 · 2 comments
Closed

Allow AccessControl role hierarchy to be defined at runtime #2165

alcueca opened this issue Apr 2, 2020 · 2 comments

Comments

@alcueca
Copy link
Contributor

alcueca commented Apr 2, 2020
edited
Loading

🧐 Motivation
Right now the only function to set an admin role is:
function _setRoleAdmin(bytes32 role, bytes32 adminRole) internal virtual

That can be used to set up a role hierarchy in the constructor of a class extending AccessControl, but there would be issues if the role hierarchy should be defined at runtime.

📝 Details
If defining roles at runtime, changing the role admin for a particular role should be restricted to members of the current admin role. Otherwise anyone could change an admin role to gain control of another role.

Example: A role with DEFAULT_ADMIN_ROLE as the admin role. Only members of the DEFAULT_ADMIN_ROLE should be able to redefine the admin role.

A class extending AccessControl doesn't have access to getRoleAdmin (external) or _roles (private). That means that a class extending AccessControl cannot know what is the admin role of another role, and cannot implement the rule above.

Options

  1. Make getRoleAdmin public.
  2. Add an external setRoleAdmin function checking for admin role membership of msg.sender.
    function setRoleAdmin(bytes32 role, bytes32 adminRole) external virtual {
    require(hasRole(_roles[role].adminRole, _msgSender()), "AccessControl: sender must be an admin to set admin role");
    _setRoleAdmin(role, adminRole);
    }

Both options could be implemented.

  1. I'm not sure of the reason for a view function to be external (bug?).
  2. AccessControl.sol implements a role hierarchy, I think that without an external setRoleAdmin function the contract is incomplete, forcing the user to correct this vulnerability in an extending contract if they want to obtain the full functionality.
@nventuro
Copy link
Contributor

nventuro commented Apr 2, 2020
edited
Loading

Thanks for opening this @albertocuestacanada! Indeed, the intent behind AccessControl is to allow for dynamic role hierarchies, but it is not supported out of the box: you'll have to think about which requirements to add when exposing _setRoleAdmin externally.

Your comment about getRoleAdmin() external getting in the way is spot-on: we've identified a number of issues related to having external functions, and so opened #2162 to get rid of them all. Once that PR is merged, dynamic hierarchies should work just fine.

@alcueca
Copy link
Contributor Author

alcueca commented Apr 2, 2020
edited
Loading

I've see the new code in #2162, and that is enough, as you say.

I think we will at some point need to implement a public setRoleAdmin function, due to developer misuse, but let's see if time proves I'm wrong.

You can close this issue if you want. Thanks a lot!

@nventuro nventuro closed this as completed Apr 2, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@nventuro @alcueca