Skip to content

UnrestrictedWrite for certain Authorization Patterns #93

New issue
New issue
Open
Open
UnrestrictedWrite for certain Authorization Patterns#93
Labels
BugSomething isn't workingEnhancementNew feature or requestSome DayThis issue may be worked on some day in the distant future
@ritzdorf

Description

@ritzdorf
ritzdorf
opened on Mar 5, 2019

Certain authorization patterns, do not use a direct

require(msg.sender == owner);

and instead perform a mapping-based authorization lookup that leads to the branch condition.
An example is provided below. This currently leads to violations for UnrestrictedWrite.

contract AuthTest {
    mapping(address => bool) isAuthorized;
    uint internal secret;

    constructor() public {
        isAuthorized[msg.sender] = true;
    }

    function setAuthorization(address a, bool v)
        public
        auth
    {
        isAuthorized[a] = v;
    }

    modifier auth {
        require(isAuthorized[msg.sender]);
        _;
    }

    function sensitiveFunc(uint x) public auth returns (bool) {
        secret = x;
    }
}

Metadata

Metadata

Assignees

No one assigned

    Labels

    BugSomething isn't workingEnhancementNew feature or requestSome DayThis issue may be worked on some day in the distant future

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions