WIP: Make requireAuth recursive if the sender is a vault

ximinez · ximinez · commit 1502d8bf254c · 2025-09-03T19:21:56.000-04:00
diff --git a/src/test/app/Vault_test.cpp b/src/test/app/Vault_test.cpp
@@ -1768,6 +1768,18 @@ class Vault_test : public beast::unit_test::suite
                      .amount = asset(100)});
                 env(tx, ter(tecNO_AUTH));
 
+                // Withdrawal to other (authorized) accounts doesn't work.
+                // Issuer would have to VaultClawback
+                tx[sfDestination] = issuer.human();
+                env(tx, ter(tecNO_AUTH));
+                tx[sfDestination] = owner.human();
+                env(tx, ter(tecNO_AUTH));
+                env.close();
+
+                // Issuer reauthorizes
+                mptt.authorize({.account = issuer, .holder = depositor});
+                env.close();
+
                 // Withdrawal to other (authorized) accounts works
                 tx[sfDestination] = issuer.human();
                 env(tx);
@@ -1776,6 +1788,13 @@ class Vault_test : public beast::unit_test::suite
                 env.close();
             }
 
+            // Re-unauthorize
+            mptt.authorize(
+                {.account = issuer,
+                 .holder = depositor,
+                 .flags = tfMPTUnauthorize});
+            env.close();
+
             {
                 // Cannot deposit some more
                 auto tx = vault.deposit(
diff --git a/src/xrpld/ledger/detail/View.cpp b/src/xrpld/ledger/detail/View.cpp
@@ -2548,6 +2548,24 @@ requireAuth(
                 !isTesSuccess(err))
                 return err;
         }
+
+        // requireAuth is also recursive if the _account_ is a vault
+        auto const sleAccount = view.read(keylet::account(account));
+        if (!sleAccount)
+            return tefINTERNAL;  // LCOV_EXCL_LINE
+
+        if (sleAccount->isFieldPresent(sfVaultID))
+        {
+            auto const sleVault =
+                view.read(keylet::vault(sleAccount->getFieldH256(sfVaultID)));
+            if (!sleVault)
+                return tefINTERNAL;  // LCOV_EXCL_LINE
+            auto const ownerAcct = sleVault->getAccountID(sfOwner);
+            if (auto const err =
+                    requireAuth(view, mptIssue, ownerAcct, authType, depth + 1);
+                !isTesSuccess(err))
+                return err;
+        }
     }
 
     auto const mptokenID = keylet::mptoken(mptID.key, account);
