flips icon indicating copy to clipboard operation
flips copied to clipboard

Published 20 hours ago verified publisher icon onflow

Restrict `capabilities.publish` to account's own capabilities

Open bluesign opened this issue 2 years ago • 1 comments

Currently it is possible to republish someone else's capability via new capabilities API, I think it makes sense to keep old restriction.

There are a lot of scenarios ( voting, gating with existence of NFT ) usually checking if account owns some balance or resource, by checking a public path capability. Now it will be extra burden for developers and small foot gun with this change of behaviour.

FLIP suggests adding a restriction to the capability API, permitting only capabilities from the same account address to be published via capabilities.publish.

Previous Discussion: https://github.com/onflow/cadence/issues/2768 Draft PR: https://github.com/onflow/cadence/pull/2782 FLIP Discussion: https://github.com/onflow/flips/pull/197

bluesign avatar Sep 13 '23 10:09 bluesign

Hi @bluesign - do you know what's the latest status on this FLIP?

KshitijChaudhary666 avatar Jul 23 '24 18:07 KshitijChaudhary666