fix: protect setURI (#104)

## Summary by Sourcery Tests: - Add a test case to verify that only users with the admin role can call the `setURI` function.
settlemint · Feb 4, 2025 · 18470ec · 18470ec
1 parent f3d4870
commit 18470ec
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 0 deletions.
diff --git a/contracts/SoulboundToken.sol b/contracts/SoulboundToken.sol
@@ -91,6 +91,7 @@ contract Soulbound is
     }
 
     function setURI(string memory newuri) external {
+        require(hasRole(DEFAULT_ADMIN_ROLE, msg.sender), "Caller is not an admin role authorised");
         _setURI(newuri);
     }
 

diff --git a/test/SoulboundToken.t.sol b/test/SoulboundToken.t.sol
@@ -8,6 +8,7 @@ import { IERC1155 } from "@openzeppelin/contracts/token/ERC1155/IERC1155.sol";
 contract SoulboundTokenTest is Test {
     Soulbound soulbound;
     address operator = address(0x123);
+    address user = makeAddr("user");
     string uri = "https://example.com/metadata/";
     string newUri = "https://example.com/new-metadata/";
 
@@ -52,6 +53,12 @@ contract SoulboundTokenTest is Test {
         assertEq(soulbound.uri(1), string(abi.encodePacked(newUri, "1.json")));
     }
 
+    function testSetNewUriWhenNotAdmin() public {
+        vm.prank(user);
+        vm.expectRevert();
+        soulbound.setURI(newUri);
+    }
+
     function testMintFunction() public {
         soulbound.grantRole(soulbound.MINTER_ROLE(), address(this));
         soulbound.mint(2, address(2));
-Original file line number
+Diff line change
@@ Expand Up / @@ -91,6 +91,7 @@ contract Soulbound is @@
         }
         function setURI(string memory newuri) external {
+            require(hasRole(DEFAULT_ADMIN_ROLE, msg.sender), "Caller is not an admin role authorised");
             _setURI(newuri);
         }
@@ Expand Down @@