remove built-in entitlements

onflow · Apr 24, 2024 · 547abbe · 547abbe
1 parent 0c8ef75
commit 547abbe
Show file tree

Hide file tree

Showing 20 changed files with 49 additions and 38 deletions.
diff --git a/contracts/CapabilityDelegator.cdc b/contracts/CapabilityDelegator.cdc
@@ -15,6 +15,9 @@ access(all) contract CapabilityDelegator {
     access(all) let PublicPath: PublicPath
 
     access(all) entitlement Get
+    access(all) entitlement Owner
+    access(all) entitlement Add
+    access(all) entitlement Delete
 
     /* --- Events --- */
     //
@@ -123,7 +126,7 @@ access(all) contract CapabilityDelegator {
         /// @param cap: Capability to add
         /// @param isPublic: Whether the Capability should be public or private
         ///
-        access(Mutate | Insert) fun addCapability(cap: Capability, isPublic: Bool) {
+        access(Owner | Add) fun addCapability(cap: Capability, isPublic: Bool) {
             pre {
                 cap.check<&AnyResource>(): "Invalid Capability provided"
             }
@@ -139,7 +142,7 @@ access(all) contract CapabilityDelegator {
         ///
         /// @param cap: Capability to remove
         ///
-        access(Mutate | Remove) fun removeCapability(cap: Capability) {
+        access(Owner | Delete) fun removeCapability(cap: Capability) {
             if let removedPublic = self.publicCapabilities.remove(key: cap.getType()) {
                 emit DelegatorUpdated(id: self.uuid, capabilityType: cap.getType(), isPublic: true, active: false)
             }

diff --git a/contracts/CapabilityFactory.cdc b/contracts/CapabilityFactory.cdc
@@ -17,6 +17,10 @@ access(all) contract CapabilityFactory {
 
     access(all) let StoragePath: StoragePath
     access(all) let PublicPath: PublicPath
+
+    access(all) entitlement Owner
+    access(all) entitlement Add
+    access(all) entitlement Delete
 
     /// Factory structures a common interface for Capability retrieval from a given account at a specified path
     ///
@@ -60,7 +64,7 @@ access(all) contract CapabilityFactory {
         /// @param t: Type of Capability the Factory retrieves
         /// @param f: Factory to add
         ///
-        access(Mutate | Insert) fun addFactory(_ t: Type, _ f: {CapabilityFactory.Factory}) {
+        access(Owner | Add) fun addFactory(_ t: Type, _ f: {CapabilityFactory.Factory}) {
             pre {
                 !self.factories.containsKey(t): "Factory of given type already exists"
             }
@@ -72,15 +76,15 @@ access(all) contract CapabilityFactory {
         /// @param t: Type of Capability the Factory retrieves
         /// @param f: Factory to replace existing Factory
         ///
-        access(Mutate | Insert) fun updateFactory(_ t: Type, _ f: {CapabilityFactory.Factory}) {
+        access(Owner | Add) fun updateFactory(_ t: Type, _ f: {CapabilityFactory.Factory}) {
             self.factories[t] = f
         }
 
         /// Removes a Factory from the Manager, returning it or nil if it didn't exist
         ///
         /// @param t: Type the Factory is indexed on
         ///
-        access(Mutate | Remove) fun removeFactory(_ t: Type): {CapabilityFactory.Factory}? {
+        access(Owner | Delete) fun removeFactory(_ t: Type): {CapabilityFactory.Factory}? {
             return self.factories.remove(key: t)
         }
 

diff --git a/contracts/CapabilityFilter.cdc b/contracts/CapabilityFilter.cdc
@@ -13,6 +13,10 @@ access(all) contract CapabilityFilter {
     access(all) let StoragePath: StoragePath
     access(all) let PublicPath: PublicPath
 
+    access(all) entitlement Owner
+    access(all) entitlement Add
+    access(all) entitlement Delete
+
     /* --- Events --- */
     //
     access(all) event FilterUpdated(id: UInt64, filterType: Type, type: Type, active: Bool)
@@ -38,7 +42,7 @@ access(all) contract CapabilityFilter {
         /// 
         /// @param type: The type to add to the denied types mapping
         ///
-        access(Mutate | Insert) fun addType(_ type: Type) {
+        access(Owner | Add) fun addType(_ type: Type) {
             self.deniedTypes.insert(key: type, true)
             emit FilterUpdated(id: self.uuid, filterType: self.getType(), type: type, active: true)
         }
@@ -47,15 +51,15 @@ access(all) contract CapabilityFilter {
         ///
         /// @param type: The type to remove from the denied types mapping
         ///
-        access(Mutate | Remove) fun removeType(_ type: Type) {
+        access(Owner | Delete) fun removeType(_ type: Type) {
             if let removed = self.deniedTypes.remove(key: type) {
                 emit FilterUpdated(id: self.uuid, filterType: self.getType(), type: type, active: false)
             }
         }
 
         /// Removes all types from the mapping of denied types
         ///
-        access(Mutate | Remove) fun removeAllTypes() {
+        access(Owner | Delete) fun removeAllTypes() {
             for type in self.deniedTypes.keys {
                 self.removeType(type)
             }
@@ -105,7 +109,7 @@ access(all) contract CapabilityFilter {
         /// 
         /// @param type: The type to add to the allowed types mapping
         ///
-        access(Mutate | Insert) fun addType(_ type: Type) {
+        access(Owner | Add) fun addType(_ type: Type) {
             self.allowedTypes.insert(key: type, true)
             emit FilterUpdated(id: self.uuid, filterType: self.getType(), type: type, active: true)
         }
@@ -114,15 +118,15 @@ access(all) contract CapabilityFilter {
         ///
         /// @param type: The type to remove from the denied types mapping
         ///
-        access(Mutate | Remove) fun removeType(_ type: Type) {
+        access(Owner | Delete) fun removeType(_ type: Type) {
             if let removed = self.allowedTypes.remove(key: type) {
                 emit FilterUpdated(id: self.uuid, filterType: self.getType(), type: type, active: false)
             }
         }
 
         /// Removes all types from the mapping of denied types
         ///
-        access(Mutate | Remove) fun removeAllTypes() {
+        access(Owner | Delete) fun removeAllTypes() {
             for type in self.allowedTypes.keys {
                 self.removeType(type)
             }

diff --git a/contracts/HybridCustody.cdc b/contracts/HybridCustody.cdc
@@ -234,13 +234,13 @@ access(all) contract HybridCustody {
     /// Entry point for a parent to obtain, maintain and access Capabilities or perform other actions on child accounts
     ///
     access(all) resource interface ManagerPrivate {
-        access(Manage | Insert) fun addAccount(cap: Capability<auth(Child) &{AccountPrivate, AccountPublic, ViewResolver.Resolver}>)
+        access(Manage) fun addAccount(cap: Capability<auth(Child) &{AccountPrivate, AccountPublic, ViewResolver.Resolver}>)
         access(Manage) fun borrowAccount(addr: Address): auth(Child) &{AccountPrivate, AccountPublic, ViewResolver.Resolver}?
-        access(Manage | Remove) fun removeChild(addr: Address)
-        access(Manage | Insert) fun addOwnedAccount(cap: Capability<auth(Owner) &{OwnedAccountPrivate, OwnedAccountPublic, ViewResolver.Resolver}>)
+        access(Manage) fun removeChild(addr: Address)
+        access(Manage) fun addOwnedAccount(cap: Capability<auth(Owner) &{OwnedAccountPrivate, OwnedAccountPublic, ViewResolver.Resolver}>)
         access(Manage) fun borrowOwnedAccount(addr: Address): auth(Owner) &{OwnedAccountPrivate, OwnedAccountPublic, ViewResolver.Resolver}?
-        access(Manage | Remove) fun removeOwned(addr: Address)
-        access(Manage | Mutate) fun setManagerCapabilityFilter(cap: Capability<&{CapabilityFilter.Filter}>?, childAddress: Address) {
+        access(Manage) fun removeOwned(addr: Address)
+        access(Manage) fun setManagerCapabilityFilter(cap: Capability<&{CapabilityFilter.Filter}>?, childAddress: Address) {
             pre {
                 cap == nil || cap!.check(): "Invalid Manager Capability Filter"
             }
@@ -282,7 +282,7 @@ access(all) contract HybridCustody {
 
         /// Sets the Display on the ChildAccount. If nil, the display is removed.
         ///
-        access(Manage | Mutate) fun setChildAccountDisplay(address: Address, _ d: MetadataViews.Display?) {
+        access(Manage) fun setChildAccountDisplay(address: Address, _ d: MetadataViews.Display?) {
             pre {
                 self.childAccounts[address] != nil: "There is no child account with this address"
             }
@@ -316,7 +316,7 @@ access(all) contract HybridCustody {
 
         /// Sets the default Filter Capability for this Manager. Does not propagate to child accounts.
         ///
-        access(Manage | Mutate) fun setDefaultManagerCapabilityFilter(cap: Capability<&{CapabilityFilter.Filter}>?) {
+        access(Manage) fun setDefaultManagerCapabilityFilter(cap: Capability<&{CapabilityFilter.Filter}>?) {
             pre {
                 cap == nil || cap!.check(): "supplied capability must be nil or check must pass"
             }
@@ -326,7 +326,7 @@ access(all) contract HybridCustody {
 
         /// Sets the Filter Capability for this Manager, propagating to the specified child account
         ///
-        access(Manage | Mutate) fun setManagerCapabilityFilter(cap: Capability<&{CapabilityFilter.Filter}>?, childAddress: Address) {
+        access(Manage) fun setManagerCapabilityFilter(cap: Capability<&{CapabilityFilter.Filter}>?, childAddress: Address) {
             let acct = self.borrowAccount(addr: childAddress) 
                 ?? panic("child account not found")
 
@@ -1124,9 +1124,9 @@ access(all) contract HybridCustody {
 
         /// Retrieves a reference to the Delegator associated with the given parent account if one exists.
         ///
-        access(Owner) fun borrowCapabilityDelegatorForParent(parent: Address): auth(Mutate) &CapabilityDelegator.Delegator? {
+        access(Owner) fun borrowCapabilityDelegatorForParent(parent: Address): auth(CapabilityDelegator.Owner) &CapabilityDelegator.Delegator? {
             let identifier = HybridCustody.getCapabilityDelegatorIdentifier(parent)
-            return self.borrowAccount().storage.borrow<auth(Mutate) &CapabilityDelegator.Delegator>(from: StoragePath(identifier: identifier)!)
+            return self.borrowAccount().storage.borrow<auth(CapabilityDelegator.Owner) &CapabilityDelegator.Delegator>(from: StoragePath(identifier: identifier)!)
         }
 
         /// Adds the provided Capability to the Delegator associated with the given parent account.

diff --git a/scripts/test/add_type_for_nft_provider_factory.cdc b/scripts/test/add_type_for_nft_provider_factory.cdc
@@ -4,7 +4,7 @@ import "NFTProviderFactory"
 import "NonFungibleToken"
 
 access(all) fun main(address: Address, type: Type): Bool {
-    let managerRef = getAuthAccount<auth(Storage) &Account>(address).storage.borrow<auth(Mutate) &CapabilityFactory.Manager>(
+    let managerRef = getAuthAccount<auth(Storage) &Account>(address).storage.borrow<auth(CapabilityFactory.Owner) &CapabilityFactory.Manager>(
         from: CapabilityFactory.StoragePath
     ) ?? panic("CapabilityFactory Manager not found")
 

diff --git a/scripts/test/remove_nft_provider_factory.cdc b/scripts/test/remove_nft_provider_factory.cdc
@@ -5,7 +5,7 @@ import "NonFungibleToken"
 
 access(all) fun main(address: Address): Bool {
 
-    let managerRef = getAuthAccount<auth(Storage) &Account>(address).storage.borrow<auth(Mutate) &CapabilityFactory.Manager>(from: CapabilityFactory.StoragePath)
+    let managerRef = getAuthAccount<auth(Storage) &Account>(address).storage.borrow<auth(CapabilityFactory.Owner) &CapabilityFactory.Manager>(from: CapabilityFactory.StoragePath)
         ?? panic("CapabilityFactory Manager not found")
 
     let expectedType = Type<NFTProviderFactory.Factory>()

diff --git a/scripts/test/update_nft_provider_factory.cdc b/scripts/test/update_nft_provider_factory.cdc
@@ -4,7 +4,7 @@ import "NFTProviderFactory"
 import "NonFungibleToken"
 
 access(all) fun main(address: Address) {
-    let managerRef = getAuthAccount<auth(Storage) &Account>(address).storage.borrow<auth(Mutate) &CapabilityFactory.Manager>(from: CapabilityFactory.StoragePath)
+    let managerRef = getAuthAccount<auth(Storage) &Account>(address).storage.borrow<auth(CapabilityFactory.Owner) &CapabilityFactory.Manager>(from: CapabilityFactory.StoragePath)
         ?? panic("CapabilityFactory Manager not found")
 
     let nftProviderFactory = NFTProviderFactory.Factory()

diff --git a/transactions/delegator/add_private_nft_collection.cdc b/transactions/delegator/add_private_nft_collection.cdc
@@ -6,7 +6,7 @@ import "ExampleNFT"
 
 transaction {
     prepare(acct: auth(BorrowValue, Capabilities) &Account) {
-        let delegator = acct.storage.borrow<auth(Mutate) &CapabilityDelegator.Delegator>(from: CapabilityDelegator.StoragePath)
+        let delegator = acct.storage.borrow<auth(CapabilityDelegator.Owner) &CapabilityDelegator.Delegator>(from: CapabilityDelegator.StoragePath)
             ?? panic("delegator not found")
 
         let d = ExampleNFT.resolveContractView(resourceType: nil, viewType: Type<MetadataViews.NFTCollectionData>())! as! MetadataViews.NFTCollectionData

diff --git a/transactions/delegator/add_public_nft_collection.cdc b/transactions/delegator/add_public_nft_collection.cdc
@@ -5,7 +5,7 @@ import "ExampleNFT"
 
 transaction {
     prepare(acct: auth(BorrowValue) &Account) {
-        let delegator = acct.storage.borrow<auth(Mutate) &CapabilityDelegator.Delegator>(from: CapabilityDelegator.StoragePath)
+        let delegator = acct.storage.borrow<auth(CapabilityDelegator.Owner) &CapabilityDelegator.Delegator>(from: CapabilityDelegator.StoragePath)
             ?? panic("delegator not found")
 
         let sharedCap 

diff --git a/transactions/delegator/remove_private_nft_collection.cdc b/transactions/delegator/remove_private_nft_collection.cdc
@@ -6,7 +6,7 @@ import "ExampleNFT"
 
 transaction {
     prepare(acct: auth(BorrowValue, Capabilities) &Account) {
-        let delegator = acct.storage.borrow<auth(Mutate) &CapabilityDelegator.Delegator>(from: CapabilityDelegator.StoragePath)
+        let delegator = acct.storage.borrow<auth(CapabilityDelegator.Owner) &CapabilityDelegator.Delegator>(from: CapabilityDelegator.StoragePath)
             ?? panic("delegator not found")
 
         let d = ExampleNFT.resolveContractView(resourceType: nil, viewType: Type<MetadataViews.NFTCollectionData>())! as! MetadataViews.NFTCollectionData

diff --git a/transactions/delegator/remove_public_nft_collection.cdc b/transactions/delegator/remove_public_nft_collection.cdc
@@ -5,7 +5,7 @@ import "ExampleNFT"
 
 transaction {
     prepare(acct: auth(BorrowValue, Capabilities) &Account) {
-        let delegator = acct.storage.borrow<auth(Mutate) &CapabilityDelegator.Delegator>(from: CapabilityDelegator.StoragePath)
+        let delegator = acct.storage.borrow<auth(CapabilityDelegator.Owner) &CapabilityDelegator.Delegator>(from: CapabilityDelegator.StoragePath)
             ?? panic("delegator not found")
 
         let sharedCap 

diff --git a/transactions/dev-setup/setup_nft_filter_and_factory_manager.cdc b/transactions/dev-setup/setup_nft_filter_and_factory_manager.cdc
@@ -67,7 +67,7 @@ transaction(nftContractAddress: Address, nftContractName: String) {
             message: "CapabilityFactory is not setup properly"
         )
 
-        let factoryManager = acct.storage.borrow<auth(Mutate) &CapabilityFactory.Manager>(from: CapabilityFactory.StoragePath)
+        let factoryManager = acct.storage.borrow<auth(CapabilityFactory.Owner) &CapabilityFactory.Manager>(from: CapabilityFactory.StoragePath)
             ?? panic("CapabilityFactory Manager not found")
 
         // Add NFT-related Factories to the Manager
@@ -95,7 +95,7 @@ transaction(nftContractAddress: Address, nftContractName: String) {
             message: "AllowlistFilter is not setup properly"
         )
 
-        let filter = acct.storage.borrow<auth(Mutate) &CapabilityFilter.AllowlistFilter>(from: CapabilityFilter.StoragePath)
+        let filter = acct.storage.borrow<auth(CapabilityFilter.Owner) &CapabilityFilter.AllowlistFilter>(from: CapabilityFilter.StoragePath)
             ?? panic("AllowlistFilter does not exist")
 
         // Construct an NFT Collection Type from the provided args & add to the AllowlistFilter

diff --git a/transactions/factory/setup_ft_manager.cdc b/transactions/factory/setup_ft_manager.cdc
@@ -27,7 +27,7 @@ transaction {
             message: "CapabilityFactory is not setup properly"
         )
 
-        let manager = acct.storage.borrow<auth(Mutate) &CapabilityFactory.Manager>(from: CapabilityFactory.StoragePath)
+        let manager = acct.storage.borrow<auth(CapabilityFactory.Owner) &CapabilityFactory.Manager>(from: CapabilityFactory.StoragePath)
             ?? panic("manager not found")
 
         manager.updateFactory(Type<auth(FungibleToken.Withdraw) &{FungibleToken.Provider}>(), FTProviderFactory.Factory())

diff --git a/transactions/factory/setup_nft_ft_manager.cdc b/transactions/factory/setup_nft_ft_manager.cdc
@@ -30,7 +30,7 @@ transaction {
             message: "CapabilityFactory is not setup properly"
         )
 
-        let manager = acct.storage.borrow<auth(Mutate) &CapabilityFactory.Manager>(from: CapabilityFactory.StoragePath) ?? panic("manager not found")
+        let manager = acct.storage.borrow<auth(CapabilityFactory.Owner) &CapabilityFactory.Manager>(from: CapabilityFactory.StoragePath) ?? panic("manager not found")
 
         manager.updateFactory(Type<&{NonFungibleToken.CollectionPublic}>(), NFTCollectionPublicFactory.Factory())
         manager.updateFactory(Type<auth(NonFungibleToken.Withdraw) &{NonFungibleToken.Provider, NonFungibleToken.CollectionPublic}>(), NFTProviderAndCollectionFactory.Factory())

diff --git a/transactions/factory/setup_nft_manager.cdc b/transactions/factory/setup_nft_manager.cdc
@@ -24,7 +24,7 @@ transaction {
             message: "CapabilityFactory is not setup properly"
         )
 
-        let manager = acct.storage.borrow<auth(Mutate) &CapabilityFactory.Manager>(from: CapabilityFactory.StoragePath)
+        let manager = acct.storage.borrow<auth(CapabilityFactory.Owner) &CapabilityFactory.Manager>(from: CapabilityFactory.StoragePath)
             ?? panic("manager not found")
 
         manager.updateFactory(Type<&{NonFungibleToken.CollectionPublic}>(), NFTCollectionPublicFactory.Factory())

diff --git a/transactions/filter/allow/add_type_to_list.cdc b/transactions/filter/allow/add_type_to_list.cdc
@@ -2,7 +2,7 @@ import "CapabilityFilter"
 
 transaction(identifier: String) {
     prepare(acct: auth(Storage) &Account) {
-        let filter = acct.storage.borrow<auth(Mutate) &CapabilityFilter.AllowlistFilter>(from: CapabilityFilter.StoragePath)
+        let filter = acct.storage.borrow<auth(CapabilityFilter.Owner) &CapabilityFilter.AllowlistFilter>(from: CapabilityFilter.StoragePath)
             ?? panic("filter does not exist")
 
         let c = CompositeType(identifier)!

diff --git a/transactions/filter/allow/remove_all_types.cdc b/transactions/filter/allow/remove_all_types.cdc
@@ -2,7 +2,7 @@ import "CapabilityFilter"
 
 transaction() {
     prepare(acct: auth(Storage) &Account) {
-        let filter = acct.storage.borrow<auth(Mutate) &CapabilityFilter.AllowlistFilter>(from: CapabilityFilter.StoragePath)
+        let filter = acct.storage.borrow<auth(CapabilityFilter.Owner) &CapabilityFilter.AllowlistFilter>(from: CapabilityFilter.StoragePath)
             ?? panic("filter does not exist")
 
         filter.removeAllTypes()

diff --git a/transactions/filter/deny/add_type_to_list.cdc b/transactions/filter/deny/add_type_to_list.cdc
@@ -2,7 +2,7 @@ import "CapabilityFilter"
 
 transaction(identifier: String) {
     prepare(acct: auth(Storage) &Account) {
-        let filter = acct.storage.borrow<auth(Mutate) &CapabilityFilter.DenylistFilter>(from: CapabilityFilter.StoragePath)
+        let filter = acct.storage.borrow<auth(CapabilityFilter.Owner) &CapabilityFilter.DenylistFilter>(from: CapabilityFilter.StoragePath)
             ?? panic("filter does not exist")
 
         let c = CompositeType(identifier)!

diff --git a/transactions/filter/deny/remove_all_types.cdc b/transactions/filter/deny/remove_all_types.cdc
@@ -2,7 +2,7 @@ import "CapabilityFilter"
 
 transaction() {
     prepare(acct: auth(Storage) &Account) {
-        let filter = acct.storage.borrow<auth(Mutate) &CapabilityFilter.DenylistFilter>(from: CapabilityFilter.StoragePath)
+        let filter = acct.storage.borrow<auth(CapabilityFilter.Owner) &CapabilityFilter.DenylistFilter>(from: CapabilityFilter.StoragePath)
             ?? panic("filter does not exist")
 
         filter.removeAllTypes()

diff --git a/transactions/test/add_type_for_nft_provider_factory.cdc b/transactions/test/add_type_for_nft_provider_factory.cdc
@@ -5,7 +5,7 @@ import "NonFungibleToken"
 
 transaction(type: Type) {
     prepare(account: auth(Storage) &Account) {
-        let managerRef = account.storage.borrow<auth(Mutate) &CapabilityFactory.Manager>(
+        let managerRef = account.storage.borrow<auth(CapabilityFactory.Owner) &CapabilityFactory.Manager>(
             from: CapabilityFactory.StoragePath
         ) ?? panic("CapabilityFactory Manager not found")