fix: operator precedence bug in UpdateDelegate revoke authority (#253)

AdeshAtole · web-flow · commit 1a681147131a · 2026-02-11T18:52:14.000-05:00
Due to Rust's operator precedence (&amp;&amp; binds tighter than ||), the
condition `A || B &amp;&amp; C &amp;&amp; D` was evaluated as `A || (B &amp;&amp; C &amp;&amp; D)`
instead of the intended `(A || (B &amp;&amp; C)) &amp;&amp; D`.

This meant the `plugin.manager() == Authority::UpdateAuthority` check
only applied to the additional_delegates branch, not the main
resolved_authorities branch. As a result, UpdateDelegate could revoke
authority on owner-managed plugins (FreezeDelegate, TransferDelegate)
that it should not control.

Added explicit parentheses to ensure the manager check applies to
both branches.
diff --git a/programs/mpl-core/src/plugins/internal/authority_managed/update_delegate.rs b/programs/mpl-core/src/plugins/internal/authority_managed/update_delegate.rs
@@ -141,15 +141,19 @@ impl PluginValidation for UpdateDelegate {
     ) -> Result<ValidationResult, ProgramError> {
         let plugin = ctx.target_plugin.ok_or(MplCoreError::InvalidPlugin)?;
 
-        // If the plugin authority is the authority signing.
-        if (ctx.resolved_authorities.is_some()
+        // SECURITY FIX: Added explicit parentheses to fix operator precedence.
+        // Previously, `&& plugin.manager() == Authority::UpdateAuthority` only bound
+        // to the additional_delegates branch due to && having higher precedence than ||.
+        // This allowed UpdateDelegate to revoke authority on owner-managed plugins
+        // (FreezeDelegate, TransferDelegate) which it should not control.
+        if ((ctx.resolved_authorities.is_some()
         && ctx
             .resolved_authorities
             .unwrap()
             .contains(ctx.self_authority))
             // Or the authority is one of the additional delegates.
-            || (self.additional_delegates.contains(ctx.authority_info.key) && PluginType::from(plugin) != PluginType::UpdateDelegate)
-            // And it's an authority-managed plugin.
+            || (self.additional_delegates.contains(ctx.authority_info.key) && PluginType::from(plugin) != PluginType::UpdateDelegate))
+            // And it's an authority-managed plugin (applies to BOTH branches).
             && plugin.manager() == Authority::UpdateAuthority
         {
             approve!()
