npm - @bananapus/ownable-v6 - Versions diffs - 0.0.20 → 0.0.22 - Mend

@bananapus/ownable-v6 0.0.20 → 0.0.22

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/package.json +3 -3
package/src/JBOwnableOverrides.sol +19 -2
package/test/audit/PermissionDriftAfterProjectTransfer.t.sol +58 -0
package/test/audit/PermissionIdNFTTransfer.t.sol +93 -0
package/test/audit/ProjectTransferPermissionPolicy.t.sol +58 -0

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@bananapus/ownable-v6",
-  "version": "0.0.20",
+  "version": "0.0.22",
   "license": "MIT",
   "repository": {
     "type": "git",
@@ -10,8 +10,8 @@
     "node": ">=20.0.0"
   },
   "dependencies": {
-    "@bananapus/core-v6": "^0.0.34",
-    "@bananapus/permission-ids-v6": "^0.0.17",
+    "@bananapus/core-v6": "^0.0.36",
+    "@bananapus/permission-ids-v6": "^0.0.19",
     "@openzeppelin/contracts": "^5.6.1"
   },
   "scripts": {

package/src/JBOwnableOverrides.sol CHANGED Viewed

@@ -36,6 +36,14 @@ abstract contract JBOwnableOverrides is Context, JBPermissioned, IJBOwnable {
     /// @notice This contract's owner information.
     JBOwner public override jbOwner;
+    //*********************************************************************//
+    // -------------------- internal stored properties ------------------- //
+    //*********************************************************************//
+    /// @notice The resolved owner address at the time permissionId was last set.
+    /// @dev Used to detect stale permissions after ownership changes (e.g., NFT transfer).
+    address internal _permissionOwner;
     //*********************************************************************//
     // -------------------------- constructor ---------------------------- //
     //*********************************************************************//
@@ -134,9 +142,16 @@ abstract contract JBOwnableOverrides is Context, JBPermissioned, IJBOwnable {
             }
         }
+        // Detect stale permissions: if ownership changed since permissionId was set
+        // (e.g., project NFT transferred), treat permissionId as 0 (direct-owner-only).
+        uint8 effectivePermissionId = ownerInfo.permissionId;
+        if (effectivePermissionId != 0 && resolvedOwner != _permissionOwner) {
+            effectivePermissionId = 0;
+        }
         // When permissionId is 0 (direct-owner-only mode), bypass the permission system entirely.
         // This ensures ROOT operators cannot act as owner when delegation is disabled.
-        if (ownerInfo.permissionId == 0) {
+        if (effectivePermissionId == 0) {
             if (_msgSender() != resolvedOwner) {
                 revert JBPermissioned.JBPermissioned_Unauthorized({
                     account: resolvedOwner, sender: _msgSender(), projectId: ownerInfo.projectId, permissionId: 0
@@ -146,7 +161,7 @@ abstract contract JBOwnableOverrides is Context, JBPermissioned, IJBOwnable {
         }
         _requirePermissionFrom({
-            account: resolvedOwner, projectId: ownerInfo.projectId, permissionId: ownerInfo.permissionId
+            account: resolvedOwner, projectId: ownerInfo.projectId, permissionId: effectivePermissionId
         });
     }
@@ -221,6 +236,7 @@ abstract contract JBOwnableOverrides is Context, JBPermissioned, IJBOwnable {
     /// @param permissionId The permission ID to use for `onlyOwner`.
     function _setPermissionId(uint8 permissionId) internal virtual {
         jbOwner.permissionId = permissionId;
+        _permissionOwner = owner();
         emit PermissionIdChanged({newId: permissionId, caller: _msgSender()});
     }
@@ -257,6 +273,7 @@ abstract contract JBOwnableOverrides is Context, JBPermissioned, IJBOwnable {
         // Update the stored owner information to the new owner and reset the `permissionId`.
         // This is to prevent permissions clashes for the new user/owner.
         jbOwner = JBOwner({owner: newOwner, projectId: projectId, permissionId: 0});
+        _permissionOwner = address(0);
         // Emit a transfer event with the new owner's address.
         _emitTransferEvent({previousOwner: oldOwner, newOwner: newOwner, newProjectId: projectId});
     }

package/test/audit/PermissionDriftAfterProjectTransfer.t.sol ADDED Viewed

@@ -0,0 +1,58 @@
+// SPDX-License-Identifier: UNLICENSED
+pragma solidity 0.8.28;
+import {Test} from "forge-std/Test.sol";
+import {MockOwnable} from "../mocks/MockOwnable.sol";
+import {JBPermissions} from "@bananapus/core-v6/src/JBPermissions.sol";
+import {JBProjects} from "@bananapus/core-v6/src/JBProjects.sol";
+import {JBPermissionsData} from "@bananapus/core-v6/src/structs/JBPermissionsData.sol";
+contract PermissionDriftAfterProjectTransferTest is Test {
+    JBPermissions internal permissions;
+    JBProjects internal projects;
+    address internal alice = makeAddr("alice");
+    address internal bob = makeAddr("bob");
+    address internal operator = makeAddr("operator");
+    function setUp() public {
+        permissions = new JBPermissions(address(0));
+        projects = new JBProjects(address(this), address(0), address(0));
+    }
+    function test_operatorCannotInheritOwnerAccessAfterProjectNftTransfer() public {
+        uint256 projectId = projects.createFor(alice);
+        // forge-lint: disable-next-line(unsafe-typecast)
+        MockOwnable ownable = new MockOwnable(projects, permissions, address(0), uint88(projectId));
+        vm.prank(alice);
+        ownable.setPermissionId(42);
+        uint8[] memory permissionIds = new uint8[](1);
+        permissionIds[0] = 42;
+        vm.prank(bob);
+        permissions.setPermissionsFor(
+            bob, JBPermissionsData({operator: operator, projectId: 0, permissionIds: permissionIds})
+        );
+        vm.prank(alice);
+        projects.transferFrom(alice, bob, projectId);
+        assertEq(ownable.owner(), bob, "project NFT transfer makes bob the direct owner");
+        (, uint88 storedProjectId, uint8 storedPermissionId) = ownable.jbOwner();
+        assertEq(storedProjectId, projectId, "ownable remains project-owned");
+        assertEq(storedPermissionId, 42, "old owner's permissionId survived the ownership change in storage");
+        // After the fix, the stale permissionId is ignored because the resolved owner
+        // (bob) differs from _permissionOwner (alice). The operator cannot seize ownership.
+        vm.prank(operator);
+        vm.expectRevert();
+        ownable.transferOwnership(operator);
+        // Bob is still the owner.
+        assertEq(ownable.owner(), bob, "bob retains ownership; operator was blocked");
+    }
+}

package/test/audit/PermissionIdNFTTransfer.t.sol ADDED Viewed

@@ -0,0 +1,93 @@
+// SPDX-License-Identifier: UNLICENSED
+pragma solidity 0.8.28;
+import {Test} from "forge-std/Test.sol";
+import {MockOwnable} from "../mocks/MockOwnable.sol";
+import {JBPermissions} from "@bananapus/core-v6/src/JBPermissions.sol";
+import {JBProjects} from "@bananapus/core-v6/src/JBProjects.sol";
+import {IJBPermissions} from "@bananapus/core-v6/src/interfaces/IJBPermissions.sol";
+import {IJBProjects} from "@bananapus/core-v6/src/interfaces/IJBProjects.sol";
+import {JBPermissionsData} from "@bananapus/core-v6/src/structs/JBPermissionsData.sol";
+contract PermissionIdNFTTransferTest is Test {
+    IJBProjects internal projects;
+    IJBPermissions internal permissions;
+    address internal seller = makeAddr("seller");
+    address internal buyer = makeAddr("buyer");
+    address internal buyerOperator = makeAddr("buyerOperator");
+    function setUp() public {
+        permissions = new JBPermissions(address(0));
+        projects = new JBProjects(address(this), address(0), address(0));
+    }
+    function test_projectNftTransferInvalidatesStalePermissionId() external {
+        uint256 projectId = projects.createFor(seller);
+        MockOwnable ownable = new MockOwnable(projects, permissions, address(0), uint88(projectId));
+        // Seller sets permissionId 30 while they own the project.
+        vm.prank(seller);
+        ownable.setPermissionId(30);
+        // Buyer grants their own operator permissionId 30 for this project.
+        uint8[] memory permissionIds = new uint8[](1);
+        permissionIds[0] = 30;
+        vm.prank(buyer);
+        permissions.setPermissionsFor(
+            buyer,
+            JBPermissionsData({operator: buyerOperator, projectId: uint56(projectId), permissionIds: permissionIds})
+        );
+        // Seller transfers the project NFT to buyer.
+        vm.prank(seller);
+        projects.transferFrom(seller, buyer, projectId);
+        assertEq(ownable.owner(), buyer, "project NFT transfer changes the effective owner");
+        // The stored permissionId is still 30 in the struct, but the fix makes it
+        // stale because the owner changed since the permissionId was set.
+        (,, uint8 inheritedPermissionId) = ownable.jbOwner();
+        assertEq(inheritedPermissionId, 30, "struct still holds old permissionId");
+        // The stale permissionId should NOT allow the buyer's operator through.
+        // After the fix, _checkOwner treats the permissionId as 0 (direct-owner-only)
+        // because the resolved owner != _permissionOwner.
+        vm.prank(buyerOperator);
+        vm.expectRevert();
+        ownable.protectedMethod();
+    }
+    function test_newOwnerCanSetOwnPermissionIdAndDelegateAccess() external {
+        uint256 projectId = projects.createFor(seller);
+        MockOwnable ownable = new MockOwnable(projects, permissions, address(0), uint88(projectId));
+        // Seller sets permissionId 30 while they own the project.
+        vm.prank(seller);
+        ownable.setPermissionId(30);
+        // Transfer the project NFT to buyer.
+        vm.prank(seller);
+        projects.transferFrom(seller, buyer, projectId);
+        // Buyer grants their own operator permissionId 30 for this project.
+        uint8[] memory permissionIds = new uint8[](1);
+        permissionIds[0] = 30;
+        vm.prank(buyer);
+        permissions.setPermissionsFor(
+            buyer,
+            JBPermissionsData({operator: buyerOperator, projectId: uint56(projectId), permissionIds: permissionIds})
+        );
+        // Buyer explicitly sets the permissionId on the ownable contract.
+        // This updates _permissionOwner to the buyer, making the permissionId valid.
+        vm.prank(buyer);
+        ownable.setPermissionId(30);
+        // Now buyerOperator should be able to call the protected method.
+        vm.prank(buyerOperator);
+        ownable.protectedMethod();
+    }
+}

package/test/audit/ProjectTransferPermissionPolicy.t.sol ADDED Viewed

@@ -0,0 +1,58 @@
+// SPDX-License-Identifier: UNLICENSED
+pragma solidity 0.8.28;
+import {Test} from "forge-std/Test.sol";
+import {MockOwnable} from "../mocks/MockOwnable.sol";
+import {JBPermissions} from "@bananapus/core-v6/src/JBPermissions.sol";
+import {JBProjects} from "@bananapus/core-v6/src/JBProjects.sol";
+import {JBPermissionsData} from "@bananapus/core-v6/src/structs/JBPermissionsData.sol";
+contract ProjectTransferPermissionPolicyTest is Test {
+    JBPermissions internal permissions;
+    JBProjects internal projects;
+    address internal seller = makeAddr("seller");
+    address internal buyer = makeAddr("buyer");
+    address internal operator = makeAddr("operator");
+    function setUp() public {
+        permissions = new JBPermissions(address(0));
+        projects = new JBProjects(address(this), address(0), address(0));
+    }
+    function test_stalePermissionIdAfterProjectTransferBlocksBuyerOperator() public {
+        uint256 projectId = projects.createFor(seller);
+        // forge-lint: disable-next-line(unsafe-typecast)
+        MockOwnable ownable = new MockOwnable(projects, permissions, address(0), uint88(projectId));
+        // The seller chooses a non-root ecosystem permission as this ownable's owner-equivalent permission.
+        vm.prank(seller);
+        ownable.setPermissionId(30);
+        // The buyer has independently delegated permission 30 across their projects for unrelated operations.
+        uint8[] memory permissionIds = new uint8[](1);
+        permissionIds[0] = 30;
+        vm.prank(buyer);
+        permissions.setPermissionsFor(
+            buyer, JBPermissionsData({operator: operator, projectId: 0, permissionIds: permissionIds})
+        );
+        // Buying/transferring the project NFT changes the effective owner, but does not reset permissionId in storage.
+        vm.prank(seller);
+        projects.transferFrom(seller, buyer, projectId);
+        assertEq(ownable.owner(), buyer, "buyer is now the effective owner");
+        (,, uint8 inheritedPermissionId) = ownable.jbOwner();
+        assertEq(inheritedPermissionId, 30, "seller-selected permission policy persists in storage");
+        // After the fix, the stale permissionId is ignored because the resolved owner (buyer)
+        // differs from _permissionOwner (seller). The operator is blocked.
+        vm.prank(operator);
+        vm.expectRevert();
+        ownable.protectedMethod();
+    }
+}