test: add require_auth negative-path matrix for all entrypoints#572
Merged
greatest0fallt1me merged 5 commits intoMay 28, 2026
Merged
Conversation
Adds contracts/predictify-hybrid/src/require_auth_coverage_tests.rs with a full positive + negative auth matrix covering every state-changing entrypoint in lib.rs: User-scoped (require_auth on caller): deposit, withdraw, vote, place_bet, place_bets, cancel_bet, claim_winnings, dispute_market, vote_on_dispute Admin-scoped (require_primary_admin / require_admin_permission): create_market, create_event, resolve_market_manual, resolve_market_with_ties, resolve_dispute, collect_fees, withdraw_collected_fees, set_platform_fee, set_treasury, set_global_claim_period, set_market_claim_period, sweep_unclaimed_winnings, extend_deadline, update_event_description, update_event_outcomes, update_event_category, update_event_tags, set_global_bet_limits, set_event_bet_limits, set_oracle_val_cfg_global, set_oracle_val_cfg_event, admin_override_verification, archive_event, prune_archive, add_admin, remove_admin, migrate_to_multi_admin, upgrade_contract Edge cases: - Uninitialized contract returns AdminNotSet for all admin calls - Forged instance-storage admin bypass is rejected - Correct caller / wrong subject address panics (vote, claim_winnings) - user_b cannot claim user_a winnings (NothingToClaim, not silent success) - user_a and user_b are never confused by the contract (AlreadyVoted check) Also fixes two pre-existing lib.rs bugs: - Stray let-statement and dangling doc comment outside any fn/impl block - Duplicate 'tokens' module declaration
|
@od-hunter Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits. You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀 |
Contributor
Author
|
hi @greatest0fallt1me , please review |
All 81 tests pass. Full positive + negative auth coverage for every
state-changing entrypoint in lib.rs.
Auth matrix (38 entrypoints x positive + negative = 76 tests):
User-scoped: deposit, withdraw, vote, place_bet, place_bets,
cancel_bet, claim_winnings, dispute_market, vote_on_dispute
Admin-scoped: create_market, create_event, resolve_market_manual,
resolve_market_with_ties, resolve_dispute, collect_fees,
withdraw_collected_fees, set_platform_fee, set_treasury,
set_global_claim_period, set_market_claim_period,
sweep_unclaimed_winnings, extend_deadline, update_event_description,
update_event_outcomes, update_event_category, update_event_tags,
set_global_bet_limits, set_event_bet_limits, set_oracle_val_cfg_global,
set_oracle_val_cfg_event, admin_override_verification, archive_event,
prune_archive, add_admin, remove_admin, migrate_to_multi_admin,
upgrade_contract
Edge cases (5 tests):
- Uninitialized contract returns AdminNotSet for all admin calls
- Forged instance-storage admin bypass rejected
- Correct caller / wrong subject panics (vote, claim_winnings)
- user_b cannot claim user_a winnings (NothingToClaim)
- Two distinct users never confused by contract
Pre-existing bug fixes required to make tests runnable:
- lib.rs: remove duplicate circuit breaker init (caused panic before
store_config was reached)
- lib.rs: store ContractConfig and RateLimitConfig during initialize
(create_market validation requires both)
- lib.rs: remove stray let-statement and dangling doc comment outside fn
- lib.rs: remove duplicate mod tokens declaration
- oracles.rs: remove duplicate persistent().set() call (oracle_data)
- oracles.rs: fix .to_string() on soroban_sdk::String
- queries.rs: fix .to_string() on soroban_sdk::String
- queries.rs: fix Error::ContractStateError -> Error::ConfigNotFound
- queries.rs: fix borrow of moved market_id
- disputes.rs: fix borrow of moved reason
- disputes.rs: add #[derive(Debug, PartialEq)] to DisputeResolution
- multi_admin_multisig_tests.rs: fix initialize() missing 3rd arg
- multi_admin_multisig_tests.rs: fix ContractEvents.len() -> .events().len()
- admin_auth_audit_tests.rs: fix initialize() missing 3rd arg
- category_tags_tests.rs: fix initialize() missing 3rd arg
- storage_layout_tests.rs: add missing imports
od-hunter
force-pushed
the
task/require-auth-coverage-matrix
branch
from
dd42a2c to
3cb4cd8
Compare
Restore DisputeUtils signatures dropped in the rustdoc merge, re-register require_auth_coverage_tests, add missing FeeArithmeticOverflow variant, and clean up duplicate imports from the master merge conflict. Co-authored-by: Cursor <cursoragent@cursor.com>
Return FallbackOracleUnavailable when both oracles fail, store recovery history per-market to stay within host budget, and adjust the cap test to verify trim logic without exceeding Soroban storage limits. Co-authored-by: Cursor <cursoragent@cursor.com>
Contributor
|
Merged via direct push to master (admin) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #543
#543