From 18470ec460a29ed35ea8cb10f7ac6626c033c973 Mon Sep 17 00:00:00 2001
From: bl0up <ambroise.m2@gmail.com>
Date: Tue, 4 Feb 2025 15:23:56 +0100
Subject: [PATCH] fix: protect setURI (#104)

## Summary by Sourcery

Tests:
- Add a test case to verify that only users with the admin role can call
the `setURI` function.
---
 contracts/SoulboundToken.sol | 1 +
 test/SoulboundToken.t.sol    | 7 +++++++
 2 files changed, 8 insertions(+)

diff --git a/contracts/SoulboundToken.sol b/contracts/SoulboundToken.sol
index cf96077..3ab07e7 100644
--- a/contracts/SoulboundToken.sol
+++ b/contracts/SoulboundToken.sol
@@ -91,6 +91,7 @@ contract Soulbound is
     }
 
     function setURI(string memory newuri) external {
+        require(hasRole(DEFAULT_ADMIN_ROLE, msg.sender), "Caller is not an admin role authorised");
         _setURI(newuri);
     }
 
diff --git a/test/SoulboundToken.t.sol b/test/SoulboundToken.t.sol
index 3cdb29d..790030f 100644
--- a/test/SoulboundToken.t.sol
+++ b/test/SoulboundToken.t.sol
@@ -8,6 +8,7 @@ import { IERC1155 } from "@openzeppelin/contracts/token/ERC1155/IERC1155.sol";
 contract SoulboundTokenTest is Test {
     Soulbound soulbound;
     address operator = address(0x123);
+    address user = makeAddr("user");
     string uri = "https://example.com/metadata/";
     string newUri = "https://example.com/new-metadata/";
 
@@ -52,6 +53,12 @@ contract SoulboundTokenTest is Test {
         assertEq(soulbound.uri(1), string(abi.encodePacked(newUri, "1.json")));
     }
 
+    function testSetNewUriWhenNotAdmin() public {
+        vm.prank(user);
+        vm.expectRevert();
+        soulbound.setURI(newUri);
+    }
+
     function testMintFunction() public {
         soulbound.grantRole(soulbound.MINTER_ROLE(), address(this));
         soulbound.mint(2, address(2));