Access control in Cadence contract

p1xelch1ck · January 23, 2022, 7:49pm

Hi,

I’m following flow tutorials and need help with contract level access controls.

Example: I want to extend ExampleNFT to have a flag that can be set only by the NFT’s owner but read by everyone.

I added a pub var flag [isLostOrStolen]
Created a setter with access(account) access [setLostOrStolen]

See the code here: https://testnet.flowscan.org/contract/A.b9af6584a32f2225.BlockchainBackedItem1

When I try to execute:

import BlockchainBackedItem1 from 0xb9af6584a32f2225

transaction(id: UInt64) {
    prepare(signer: AuthAccount) {
        let collectionRef = signer.getCapability(BlockchainBackedItem1.CollectionPublicPath)
            .borrow<&{BlockchainBackedItem1.BlockchainBackedItemCollectionPublic}>()
            ?? panic("Could not get receiver reference to the NFT Collection")

        let bbi = collectionRef.borrowBlockchainBackedItem(id: id)

        bbi.setLostOrStolen()
    }
}

I get

|
12 |         bbi.setLostOrStolen()
   |             ^^^^^^^^^^^^^^^ unknown member

It looks like I can’t access functions with account(access) using a transaction signed by the account owner.
Am I doing something wrong?

I could create an Admin resource that has a public function that flips the flag and is stored in the account without creating a public capability, to restrict the access, but it sounds overcomplicated. What is an advised approach to implement a simple flag that is modified by the account owner?

j00lz · January 24, 2022, 5:51am

Problem is access(account) can only be accessed by other contracts in the same account. (The account itself can’t access via a transaction)

In your case you can just make it pub which will make it readable by all and only settable by the current owner of the resource.

p1xelch1ck · January 24, 2022, 6:22am

Oh geez, so obvious. Thank you so much!

p1xelch1ck · January 31, 2022, 5:28am

I tried setting access to variables as pub, but if I try to change it directly using a signed transaction I get:

error: cannot assign to `isLostOrStolen`: field has public access

^^^^^^^^^ consider making it publicly settable with `pub(set)`

I’m guessing that’s because transaction is outside of the scope in which this variable lives.

Making it pub(set) will allow other accounts modify it, which I don’t want.
I also tried using setters, but

pub fun setLost() {
    self.isLostOrStolen
}

also can be called by anyone.
Any other suggestions?

bastian · February 1, 2022, 6:03pm

If you want to protect certain functionality from access by everyone and want to only grant access to certain users, have a read through https://docs.onflow.org/cadence/language/capability-based-access-control/ and https://docs.onflow.org/cadence/msg-sender/. In particular, https://docs.onflow.org/cadence/msg-sender/#admin-rights shows how you can allow controlled access to e.g. setLostOrStolen in your case.

p1xelch1ck · February 5, 2022, 5:51am

Got it. Thanks for pointing me to the right direction @turbolent !

Topic		Replies	Views
Make NFTMinter resource publicly available to all users 🏄🏻‍♀️ Cadence	2	646	July 21, 2021
"Everything on the blockchain is public": Can this be further explained? New To Flow cadence	0	256	August 20, 2023
Accessing Collections in Cadence 1.0 🏄🏻‍♀️ Cadence	6	112	September 30, 2024
[solved] Unable to transfer NFT's Users Troubleshooting collection , cadence	2	1468	August 18, 2022
Fixed: Vulnerable Accounts 2024-10-01 Security Notifications	0	112	October 1, 2024

Access control in Cadence contract

Related topics