From f31e30832aa198df1e1d26c22da58a1468b56645 Mon Sep 17 00:00:00 2001
From: librelois <c@elo.tf>
Date: Sun, 10 Jul 2022 15:51:38 +0200
Subject: [PATCH] fix(proxy): some calls should never be authorized from proxy

---
 runtime/g1/src/lib.rs                   | 12 +++++++++---
 runtime/gdev/src/lib.rs                 | 12 +++++++++---
 runtime/gdev/tests/integration_tests.rs |  2 +-
 runtime/gtest/src/lib.rs                | 12 +++++++++---
 4 files changed, 28 insertions(+), 10 deletions(-)

diff --git a/runtime/g1/src/lib.rs b/runtime/g1/src/lib.rs
index 75f12540d..5a28e63f1 100644
--- a/runtime/g1/src/lib.rs
+++ b/runtime/g1/src/lib.rs
@@ -159,19 +159,25 @@ impl Contains<Call> for BaseCallFilter {
 )]
 #[allow(clippy::unnecessary_cast)]
 pub enum ProxyType {
-    Any = 0,
+    AlmostAny = 0,
     TransferOnly = 1,
     CancelProxy = 2,
 }
 impl Default for ProxyType {
     fn default() -> Self {
-        Self::Any
+        Self::AlmostAny
     }
 }
 impl frame_support::traits::InstanceFilter<Call> for ProxyType {
     fn filter(&self, c: &Call) -> bool {
         match self {
-            ProxyType::Any => true,
+            ProxyType::AlmostAny => {
+                // Some calls are never authorized from a proxied account
+                !matches!(
+                    c,
+                    Call::Cert(..) | Call::Identity(..) | Call::SmithsCert(..)
+                )
+            }
             ProxyType::TransferOnly => {
                 matches!(c, Call::Balances(..) | Call::UniversalDividend(..))
             }
diff --git a/runtime/gdev/src/lib.rs b/runtime/gdev/src/lib.rs
index 6e574292b..f350f9f2b 100644
--- a/runtime/gdev/src/lib.rs
+++ b/runtime/gdev/src/lib.rs
@@ -181,20 +181,26 @@ impl Contains<Call> for BaseCallFilter {
 )]
 #[allow(clippy::unnecessary_cast)]
 pub enum ProxyType {
-    Any = 0,
+    AlmostAny = 0,
     TransferOnly = 1,
     CancelProxy = 2,
     SmithsCollectivePropose = 3,
 }
 impl Default for ProxyType {
     fn default() -> Self {
-        Self::Any
+        Self::AlmostAny
     }
 }
 impl frame_support::traits::InstanceFilter<Call> for ProxyType {
     fn filter(&self, c: &Call) -> bool {
         match self {
-            ProxyType::Any => true,
+            ProxyType::AlmostAny => {
+                // Some calls are never authorized from a proxied account
+                !matches!(
+                    c,
+                    Call::Cert(..) | Call::Identity(..) | Call::SmithsCert(..)
+                )
+            }
             ProxyType::TransferOnly => {
                 matches!(c, Call::Balances(..) | Call::UniversalDividend(..))
             }
diff --git a/runtime/gdev/tests/integration_tests.rs b/runtime/gdev/tests/integration_tests.rs
index 3cad420ec..5c8c50df9 100644
--- a/runtime/gdev/tests/integration_tests.rs
+++ b/runtime/gdev/tests/integration_tests.rs
@@ -71,7 +71,7 @@ fn verify_pallet_indices() {
 
 #[test]
 fn verify_proxy_type_indices() {
-    assert_eq!(ProxyType::Any as u8, 0);
+    assert_eq!(ProxyType::AlmostAny as u8, 0);
 }
 
 #[test]
diff --git a/runtime/gtest/src/lib.rs b/runtime/gtest/src/lib.rs
index 43c84ab9e..0c534e3a5 100644
--- a/runtime/gtest/src/lib.rs
+++ b/runtime/gtest/src/lib.rs
@@ -160,19 +160,25 @@ impl Contains<Call> for BaseCallFilter {
 )]
 #[allow(clippy::unnecessary_cast)]
 pub enum ProxyType {
-    Any = 0,
+    AlmostAny = 0,
     TransferOnly = 1,
     CancelProxy = 2,
 }
 impl Default for ProxyType {
     fn default() -> Self {
-        Self::Any
+        Self::AlmostAny
     }
 }
 impl frame_support::traits::InstanceFilter<Call> for ProxyType {
     fn filter(&self, c: &Call) -> bool {
         match self {
-            ProxyType::Any => true,
+            ProxyType::AlmostAny => {
+                // Some calls are never authorized from a proxied account
+                !matches!(
+                    c,
+                    Call::Cert(..) | Call::Identity(..) | Call::SmithsCert(..)
+                )
+            }
             ProxyType::TransferOnly => {
                 matches!(c, Call::Balances(..) | Call::UniversalDividend(..))
             }
-- 
GitLab