Secure the networkBug Bounty 2019

Managing Permissions

In the current implementation of the colonyNetwork smart contracts, some events on-chain are not mediated by reputation scores as described in the Whitepaper. For now, certain actions within a colony that would ordinarily require some minimum reputation are assigned an "authority role".

Authority Roles

There are two "authority roles": FOUNDER and ADMIN. Each authority role can call certain colonyNetwork methods, which are not permitted by addresses without an authority role. This includes actions such as minting new colony tokens, setting and removing authority roles, adding domains, creating tasks, and much more.

Note: The "authority roles" described here are distinct from "task roles" (MANAGER, WORKER, and EVALUATOR). You can learn more about task roles and their permissions in Task Lifecycle.

Permissions for ColonyClient methods

FounderAdmin
addDomainXX
addNetworkColonyVersionX
bootstrapColonyX
createTaskXX
mintTokensX
moveFundsBetweenPotsXX
registerColonyLabelX
removeAdminRoleX
removeRecoveryRoleX
setAdminRoleXX
setFounderRoleX
setRecoveryRoleX
setRewardInverseX
setTokenX
startNextRewardPayoutXX
upgradeX

See ColonyClient for more information about each method.

Permissions for ColonyClient methods (Meta Colony)

FounderAdmin
addGlobalSkillX
mintTokensForColonyNetworkX
setNetworkFeeInverseX

See ColonyClient for more information about each method.

Permissions for ColonyNetworkClient methods

FounderAdmin
removeRecoveryRoleX
setRecoveryRoleX

See ColonyNetworkClient for more information about each method.

Authority Methods

Set Admin Role

We can use an instance of the ColonyClient to set a user's role to ADMIN:

// Set admin role
await colonyClient.setAdminRole.send({ user })

Remove Admin Role

We can use an instance of the ColonyClient to remove a user's role as ADMIN:

// Remove admin role
await colonyClient.removeAdminRole.send({ user })

Set Founder Role

We can use an instance of the ColonyClient to set a user's role to FOUNDER:

// Set founder role
await colonyClient.setFounderRole.send({ user })

There can be only one FOUNDER, so setting a user to FOUNDER will remove the authority role of the current FOUNDER. Also, there is no removeFounderRole method because a colony must always have a FOUNDER.

Check Authority Role

We can use an instance of the ColonyClient to check the authority role of a user:

// Check user role
await colonyClient.hasUserRole.call({
  user,
  role,
});