diff --git a/crates/iroha_executor/src/default.rs b/crates/iroha_executor/src/default.rs index 19fe09bb666..b3d33526d76 100644 --- a/crates/iroha_executor/src/default.rs +++ b/crates/iroha_executor/src/default.rs @@ -164,7 +164,7 @@ pub mod domain { use super::*; use crate::permission::{ - account::is_account_owner, accounts_permissions, domain::is_domain_owner, roles_permissions, + account::is_account_owner, domain::is_domain_owner, revoke_permissions, }; pub fn visit_register_domain( @@ -200,30 +200,13 @@ pub mod domain { .is_owned_by(&executor.context().authority, executor.host()) } { - let mut err = None; - for (owner_id, permission) in accounts_permissions(executor.host()) { - if is_permission_domain_associated(&permission, domain_id) { - let isi = &Revoke::account_permission(permission, owner_id.clone()); - - if let Err(error) = executor.host().submit(isi) { - err = Some(error); - break; - } - } + revoke_permissions(executor, |permission| { + is_permission_domain_associated(permission, domain_id) + }); + if executor.verdict().is_err() { + return; } - if let Some(err) = err { - deny!(executor, err); - } - - for (role_id, permission) in roles_permissions(executor.host()) { - if is_permission_domain_associated(&permission, domain_id) { - let isi = &Revoke::role_permission(permission, role_id.clone()); - if let Err(err) = executor.host().submit(isi) { - deny!(executor, err); - } - } - } execute!(executor, isi); } deny!(executor, "Can't unregister domain"); @@ -389,7 +372,7 @@ pub mod account { }; use super::*; - use crate::permission::{account::is_account_owner, accounts_permissions, roles_permissions}; + use crate::permission::{account::is_account_owner, revoke_permissions}; pub fn visit_register_account( executor: &mut V, @@ -441,30 +424,13 @@ pub mod account { .is_owned_by(&executor.context().authority, executor.host()) } { - let mut err = None; - for (owner_id, permission) in accounts_permissions(executor.host()) { - if is_permission_account_associated(&permission, account_id) { - let isi = &Revoke::account_permission(permission, owner_id.clone()); - - if let Err(error) = executor.host().submit(isi) { - err = Some(error); - break; - } - } + revoke_permissions(executor, |permission| { + is_permission_account_associated(permission, account_id) + }); + if executor.verdict().is_err() { + return; } - if let Some(err) = err { - deny!(executor, err); - } - - for (role_id, permission) in roles_permissions(executor.host()) { - if is_permission_account_associated(&permission, account_id) { - let isi = &Revoke::role_permission(permission, role_id.clone()); - if let Err(err) = executor.host().submit(isi) { - deny!(executor, err); - } - } - } execute!(executor, isi); } deny!(executor, "Can't unregister another account"); @@ -582,8 +548,7 @@ pub mod asset_definition { use super::*; use crate::permission::{ - account::is_account_owner, accounts_permissions, - asset_definition::is_asset_definition_owner, roles_permissions, + account::is_account_owner, asset_definition::is_asset_definition_owner, revoke_permissions, }; pub fn visit_register_asset_definition( @@ -640,30 +605,13 @@ pub mod asset_definition { .is_owned_by(&executor.context().authority, executor.host()) } { - let mut err = None; - for (owner_id, permission) in accounts_permissions(executor.host()) { - if is_permission_asset_definition_associated(&permission, asset_definition_id) { - let isi = &Revoke::account_permission(permission, owner_id.clone()); - - if let Err(error) = executor.host().submit(isi) { - err = Some(error); - break; - } - } + revoke_permissions(executor, |permission| { + is_permission_asset_definition_associated(permission, asset_definition_id) + }); + if executor.verdict().is_err() { + return; } - if let Some(err) = err { - deny!(executor, err); - } - - for (role_id, permission) in roles_permissions(executor.host()) { - if is_permission_asset_definition_associated(&permission, asset_definition_id) { - let isi = &Revoke::role_permission(permission, role_id.clone()); - if let Err(err) = executor.host().submit(isi) { - deny!(executor, err); - } - } - } execute!(executor, isi); } deny!( @@ -1364,7 +1312,7 @@ pub mod trigger { use super::*; use crate::permission::{ - accounts_permissions, domain::is_domain_owner, roles_permissions, trigger::is_trigger_owner, + domain::is_domain_owner, revoke_permissions, trigger::is_trigger_owner, }; pub fn visit_register_trigger( @@ -1450,28 +1398,11 @@ pub mod trigger { } || CanUnregisterAnyTrigger.is_owned_by(&executor.context().authority, executor.host()) { - let mut err = None; - for (owner_id, permission) in accounts_permissions(executor.host()) { - if is_permission_trigger_associated(&permission, trigger_id) { - let isi = &Revoke::account_permission(permission, owner_id.clone()); - - if let Err(error) = executor.host().submit(isi) { - err = Some(error); - break; - } - } - } - if let Some(err) = err { - deny!(executor, err); - } - - for (role_id, permission) in roles_permissions(executor.host()) { - if is_permission_trigger_associated(&permission, trigger_id) { - let isi = &Revoke::role_permission(permission, role_id.clone()); - if let Err(err) = executor.host().submit(isi) { - deny!(executor, err); - } - } + revoke_permissions(executor, |permission| { + is_permission_trigger_associated(permission, trigger_id) + }); + if executor.verdict().is_err() { + return; } execute!(executor, isi); diff --git a/crates/iroha_executor/src/permission.rs b/crates/iroha_executor/src/permission.rs index f39cc199d71..b984450040d 100644 --- a/crates/iroha_executor/src/permission.rs +++ b/crates/iroha_executor/src/permission.rs @@ -5,11 +5,13 @@ use alloc::{borrow::ToOwned as _, vec::Vec}; use iroha_executor_data_model::permission::Permission; use crate::{ + deny, prelude::Context, smart_contract::{ data_model::{executor::Result, permission::Permission as PermissionObject, prelude::*}, prelude::*, }, + Execute, }; /// Declare permission types of current module. Use it with a full path to the permission. @@ -1114,3 +1116,37 @@ pub(crate) fn roles_permissions(host: &Iroha) -> impl Iterator( + executor: &mut V, + condition: impl Fn(&PermissionObject) -> bool, +) { + let mut err = None; + for (owner_id, permission) in accounts_permissions(executor.host()) { + if condition(&permission) { + let isi = Revoke::account_permission(permission, owner_id.clone()); + + if let Err(error) = executor.host().submit(&isi) { + err = Some(error); + break; + } + } + } + if let Some(err) = err { + deny!(executor, err); + } + + for (role_id, permission) in roles_permissions(executor.host()) { + if condition(&permission) { + let isi = Revoke::role_permission(permission, role_id.clone()); + + if let Err(err) = executor.host().submit(&isi) { + deny!(executor, err); + } + } + } +}