commando: don't let readonly default read the datastore.

That... would be dumb, since it holds the master secret! Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
2025-12-24 00:24:19 +01:00 · 2021-08-03 16:54:11 +09:30
parent 02d6bbbf36
commit a903208121
3 changed files with 26 additions and 1 deletions
--- a/commando/test_commando.py
+++ b/commando/test_commando.py
@@ -283,3 +283,26 @@ def test_rune_time(node_factory):
                        method='commando-rune',
                        rune=rune,
                        params={'restrictions': 'id={}'.format(l2.info['id'])})
+
+
+def test_readonly(node_factory):
+    l1, l2 = node_factory.line_graph(2, fundchannel=False,
+                                     opts={'plugin': [plugin_path,
+                                                      datastore_path]})
+    rrune = l2.rpc.commando_rune(restrictions='readonly')['rune']
+
+    l1.rpc.call(method='commando',
+                payload={'peer_id': l2.info['id'],
+                         'method': 'listchannels',
+                         'rune': rrune,
+                         'params': {'source': l1.info['id']}})
+
+    with pytest.raises(RpcError, match='Not authorized.* = getsharedsecret'):
+        l1.rpc.commando(peer_id=l2.info['id'],
+                        rune=rrune,
+                        method='getsharedsecret')
+
+    with pytest.raises(RpcError, match='Not authorized.* = listdatastore'):
+        l1.rpc.commando(peer_id=l2.info['id'],
+                        rune=rrune,
+                        method='listdatastore')