Skip to content

fix: add access control to set_risk_tier (closes #50)#84

Open
olaleyeolajide81-sketch wants to merge 1 commit into
mericcintosun:mainfrom
olaleyeolajide81-sketch:fix/issue-50-set-risk-tier-access-control
Open

fix: add access control to set_risk_tier (closes #50)#84
olaleyeolajide81-sketch wants to merge 1 commit into
mericcintosun:mainfrom
olaleyeolajide81-sketch:fix/issue-50-set-risk-tier-access-control

Conversation

@olaleyeolajide81-sketch

@olaleyeolajide81-sketch olaleyeolajide81-sketch commented Apr 30, 2026

Copy link
Copy Markdown

Summary

Fixes #50set_risk_tier had no authorization check, allowing any address to overwrite any user's risk score.

Changes

risk_score/src/lib.rs

  • initialize(admin) — one-time setup that stores a trusted admin address in instance storage. Panics if called twice.
  • get_admin() — read-only helper to inspect the stored admin.
  • set_risk_tier — now calls user.require_auth() before writing. The contract also asserts it has been initialized, so an undeployed/uninitialized contract cannot be called. The admin can satisfy the user auth requirement via Soroban's auth tree (standard composable pattern for Soroban v22).
  • All 17 existing tests updated to use a setup() helper that calls initialize and mock_all_auths().
  • 4 new auth-specific tests added (test_initialize_sets_admin, test_initialize_twice_panics, test_admin_can_set_risk_tier_for_any_user, test_user_can_set_own_risk_tier).

risk_score/Cargo.toml

  • Added soroban-sdk with testutils feature to [dev-dependencies] so test utilities (mock_all_auths, Address::generate, etc.) compile correctly.

Test results

running 21 tests
test tests::test_admin_can_set_risk_tier_for_any_user ... ok
test tests::test_get_tier_stats ... ok
test tests::test_initialize_sets_admin ... ok
test tests::test_initialize_twice_panics - should panic ... ok
test tests::test_invalid_tier_validation - should panic ... ok
test tests::test_get_tier_users ... ok
test tests::test_multiple_users_different_tiers ... ok
test tests::test_no_risk_data_denies_tier_access ... ok
test tests::test_no_risk_data_returns_zero_score ... ok
test tests::test_score_update_overwrites_previous ... ok
test tests::test_score_validation_exceeds_limit - should panic ... ok
test tests::test_score_validation_upper_bound ... ok
test tests::test_set_and_get_risk_tier ... ok
test tests::test_tier_access_tier1_denied ... ok
test tests::test_tier_access_tier1_boundary ... ok
test tests::test_tier_access_tier1_low_risk ... ok
test tests::test_tier_access_tier3_always_accessible ... ok
test tests::test_tier_access_tier2_medium_risk ... ok
test tests::test_update_chosen_tier_valid ... ok
test tests::test_update_chosen_tier_high_risk_restriction - should panic ... ok
test tests::test_user_can_set_own_risk_tier ... ok

test result: ok. 21 passed; 0 failed; 0 ignored

fix: add access control to set_risk_tier (closes mericcintosun#50)
7be0811 
- Add initialize(admin) to set a trusted admin address once
- set_risk_tier now requires user.require_auth() — only the user
  (or an authorized invoker acting on their behalf) can update
  their own score; uninitialized contracts are rejected
- Add get_admin() helper
- Add testutils dev-dependency to Cargo.toml
- Update all tests to use setup() helper with mock_all_auths()
- Add test_initialize_sets_admin, test_initialize_twice_panics,
  test_admin_can_set_risk_tier_for_any_user,
  test_user_can_set_own_risk_tier (21 tests, all passing)

Signed-off-by: Kiro <fix@riskon.dev>
@vercel

vercel Bot commented Apr 30, 2026

Copy link
Copy Markdown

Someone is attempting to deploy a commit to the mericcintosun Team on Vercel.

A member of the Team first needs to authorize it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Security] set_risk_tier has no access control — any address can overwrite any user's score

1 participant

@olaleyeolajide81-sketch