adds RBAC validations on offer data flow

Author: amatsonkali

pallets/gated-marketplace/src/benchmarking.rs

@@ -183,7 +183,7 @@ impl<T: Config> Pallet<T> {
         //This function is only called by the owner of the marketplace
         //ensure the marketplace exists
         ensure!(<Marketplaces<T>>::contains_key(marketplace_id), Error::<T>::MarketplaceNotFound);
-
+        Self::is_authorized(authority.clone(), &marketplace_id,Permission::EnlistSellOffer)?;
         //ensure the collection exists
         if let Some(a) = pallet_uniques::Pallet::<T>::owner(collection_id, item_id) {
             ensure!(a == authority, Error::<T>::NotOwner);
@@ -244,13 +244,14 @@ impl<T: Config> Pallet<T> {
     }
 
     pub fn do_enlist_buy_offer(authority: T::AccountId, marketplace_id: [u8;32], collection_id: T::CollectionId, item_id: T::ItemId, price: BalanceOf<T>,) -> DispatchResult {
-        //TODO: ensure the user is a Marketparticipant
-
+        // ensure the user is a Marketparticipant
+        //ensure!(<ApplicantsByMarketplace<T>>::get(marketplace_id, ApplicationStatus::Approved).contains(&authority), Error::<T>::ApplicantNotFound);
         //ensure the item is for sale, if not, return error
         ensure!(<OffersByItem<T>>::contains_key(collection_id, item_id), Error::<T>::ItemNotForSale);
-
+        
         //ensure the marketplace exists
         ensure!(<Marketplaces<T>>::contains_key(marketplace_id), Error::<T>::MarketplaceNotFound);
+        Self::is_authorized(authority.clone(), &marketplace_id,Permission::EnlistBuyOffer)?;
 
         //ensure the collection exists
         //For this case user doesn't have to be the owner of the collection
@@ -314,6 +315,8 @@ impl<T: Config> Pallet<T> {
     }
 
     pub fn do_take_sell_offer(buyer: T::AccountId, offer_id: [u8;32], marketplace_id: [u8;32], collection_id: T::CollectionId, item_id: T::ItemId,) -> DispatchResult {
+        ensure!(<Marketplaces<T>>::contains_key(marketplace_id), Error::<T>::MarketplaceNotFound);
+        Self::is_authorized(buyer.clone(), &marketplace_id,Permission::TakeSellOffer)?;
         //This extrisicn is called by the user who wants to buy the item
         //ensure the collection & owner exists
         let owner_item = pallet_uniques::Pallet::<T>::owner(collection_id, item_id).ok_or(Error::<T>::OwnerNotFound)?;
@@ -358,6 +361,8 @@ impl<T: Config> Pallet<T> {
 
     pub fn do_take_buy_offer(authority: T::AccountId, offer_id: [u8;32], marketplace_id: [u8;32], collection_id: T::CollectionId, item_id: T::ItemId,) -> DispatchResult {
         //This extrinsic is called by the owner of the item who accepts the buy offer from the interested user.
+        ensure!(<Marketplaces<T>>::contains_key(&marketplace_id), Error::<T>::MarketplaceNotFound);
+        Self::is_authorized(authority.clone(), &marketplace_id,Permission::TakeBuyOffer)?;
         //ensure the collection & owner exists
         let owner_item = pallet_uniques::Pallet::<T>::owner(collection_id, item_id).ok_or(Error::<T>::OwnerNotFound)?;
 
@@ -408,7 +413,7 @@ impl<T: Config> Pallet<T> {
     pub fn do_duplicate_offer(authority: T::AccountId, offer_id: [u8;32], marketplace_id: [u8;32], collection_id: T::CollectionId, item_id: T::ItemId, modified_price: BalanceOf<T>) -> DispatchResult{
         //ensure new marketplace_id exits
         ensure!(<Marketplaces<T>>::contains_key(marketplace_id), Error::<T>::MarketplaceNotFound);
-
+        Self::is_authorized(authority.clone(), &marketplace_id,Permission::DuplicateOffer)?;
         //ensure that the offer_id exists
         ensure!(<OffersInfo<T>>::contains_key(offer_id), Error::<T>::OfferNotFound);
 
@@ -455,7 +460,7 @@ impl<T: Config> Pallet<T> {
     pub fn do_remove_offer(authority: T::AccountId, offer_id: [u8;32], marketplace_id: [u8;32], collection_id: T::CollectionId, item_id: T::ItemId, ) -> DispatchResult {
         //ensure marketplace_id exits
         ensure!(<Marketplaces<T>>::contains_key(marketplace_id), Error::<T>::MarketplaceNotFound);
-
+        Self::is_authorized(authority.clone(), &marketplace_id,Permission::RemoveOffer)?;
         //ensure the offer_id exists
         ensure!(<OffersInfo<T>>::contains_key(offer_id), Error::<T>::OfferNotFound);
 

pallets/gated-marketplace/src/functions.rs

@@ -8,9 +8,6 @@ mod mock;
 #[cfg(test)]
 mod tests;
 
-#[cfg(feature = "runtime-benchmarks")]
-mod benchmarking;
-
 mod functions;
 mod types;
 

pallets/gated-marketplace/src/lib.rs

@@ -153,7 +153,7 @@ parameter_types! {
 	pub const MaxRolesPerPallet: u32 = 6;
 	pub const RoleMaxLen: u32 = 25;
 	pub const PermissionMaxLen: u32 = 25;
-	pub const MaxPermissionsPerRole: u32 = 5;
+	pub const MaxPermissionsPerRole: u32 = 11;
 	pub const MaxRolesPerUser: u32 = 2;
 	pub const MaxUsersPerRole: u32 = 2;
 }

pallets/gated-marketplace/src/mock.rs

@@ -1085,6 +1085,9 @@ fn enlist_buy_offer_an_item_can_receive_multiple_buy_offers(){
 		let offer_id2 = GatedMarketplace::offers_by_account(2).iter().next().unwrap().clone();
 		assert!(GatedMarketplace::offers_info(offer_id2).is_some());
 
+		// User 3 will buy the asset so it'll have to enter the marketplace first
+		assert_ok!(GatedMarketplace::apply(Origin::signed(3),m_id,create_application_fields(2), None ));
+		assert_ok!(GatedMarketplace::enroll(Origin::signed(1), m_id , AccountOrApplication::Account(3), true, default_feedback()));
 		assert_ok!(GatedMarketplace::enlist_buy_offer(Origin::signed(3), m_id, 0, 0, 1200));
 		let offer_id3 = GatedMarketplace::offers_by_account(3).iter().next().unwrap().clone();
 		assert!(GatedMarketplace::offers_info(offer_id3).is_some());

pallets/gated-marketplace/src/tests.rs

@@ -98,11 +98,13 @@ impl Permission{
 
     pub fn admin_permissions()-> Vec<Vec<u8>>{
         use crate::types::Permission::*;
-        [Enroll.to_vec(),
+        let mut admin_permissions = [Enroll.to_vec(),
         AddAuth.to_vec(),
         RemoveAuth.to_vec(),
         UpdateLabel.to_vec(),
-        RemoveMarketplace.to_vec()].to_vec()
+        RemoveMarketplace.to_vec()].to_vec();
+        admin_permissions.append(&mut Permission::participant_permissions());
+        admin_permissions
     }
 
     pub fn participant_permissions()->Vec<Vec<u8>>{