fix: external withdraw permission check

amarinkovic · amarinkovic · commit 6e32b934b25d · 2025-02-20T13:11:24.000+01:00
diff --git a/src/facets/TokenizedVaultIOFacet.sol b/src/facets/TokenizedVaultIOFacet.sol
@@ -53,7 +53,7 @@ contract TokenizedVaultIOFacet is Modifiers, ReentrancyGuard {
         address _receiver,
         address _externalTokenAddress,
         uint256 _amount
-    ) external notLocked nonReentrant assertPrivilege(LibObject._getParentFromAddress(msg.sender), LC.GROUP_EXTERNAL_WITHDRAW_FROM_ENTITY) {
+    ) external notLocked nonReentrant assertPrivilege(_entityId, LC.GROUP_EXTERNAL_WITHDRAW_FROM_ENTITY) {
         if (!LibACL._hasGroupPrivilege(LibHelpers._getIdForAddress(_receiver), _entityId, LibHelpers._stringToBytes32(LC.GROUP_EXTERNAL_WITHDRAW_FROM_ENTITY)))
             revert ExternalWithdrawInvalidReceiver(_receiver);
         LibTokenizedVaultIO._externalWithdraw(_entityId, _receiver, _externalTokenAddress, _amount);
diff --git a/test/T02Access.t.sol b/test/T02Access.t.sol
@@ -149,20 +149,19 @@ contract T02Access is D03ProtocolDefaults {
         changePrank(ea);
         writeTokenBalance(ea.addr, naymsAddress, wethAddress, 1 ether);
         nayms.externalDeposit(wethAddress, 1 ether); // deposit 100 weth into ea's parent (sm.entityId)
-        // Withdrawing from the entity sm.entityId
         nayms.externalWithdrawFromEntity(sm.entityId, ea.addr, wethAddress, 100);
 
         changePrank(cc);
         writeTokenBalance(cc.addr, naymsAddress, wethAddress, 1 ether);
-        vm.expectRevert(); // Invalid group privilege
         nayms.externalWithdrawFromEntity(sm.entityId, cc.addr, wethAddress, 100);
 
         changePrank(sm);
-        nayms.setEntity(cc.id, sm.entityId); // User's parent must be set to the entity to deposit and withdraw from it
-        changePrank(cc);
-        nayms.externalWithdrawFromEntity(sm.entityId, cc.addr, wethAddress, 100);
+        hCreateEntity(ts.entityId, ts.id, entity, "entity test hash");
+        changePrank(sa);
+        hAssignRole(ts.id, ts.entityId, LC.ROLE_ENTITY_ADMIN);
 
-        vm.expectRevert(abi.encodeWithSelector(ExternalWithdrawInvalidReceiver.selector, sm.addr));
+        changePrank(ts);
+        vm.expectRevert(abi.encodeWithSelector(InvalidGroupPrivilege.selector, ts.id, sm.entityId, "", LC.GROUP_EXTERNAL_WITHDRAW_FROM_ENTITY));
         nayms.externalWithdrawFromEntity(sm.entityId, sm.addr, wethAddress, 100); // Invalid receiver sm.addr
     }
 
