Add named return parameters and _checkSelector function to AccessManager

[ernestognw]

Improvements after #4613

The _checkSelector function is added to keep consistency of the way the calldata selector is consumed.

PR Checklist

• Tests in Improve AccessManager tests #4613
• Documentation
• Changeset entry (run npx changeset add)

[changeset-bot]

⚠️ No Changeset found

Latest commit: 44f5b13

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[frangio]

Note to self and others: this is removed because the public role is not grantable according to the logic of _grantRole.

[Amxx]

Given that the public role is indeed not grantable, does it make sens to set the grant delay ? IMO it send the wrong signal that you can set a delay, and emit the corresponding event, when you know the delay will never be enforced.

[ernestognw]

Perhaps documentation is fine for the case of granting a delay to the PUBLIC_ROLE, I wouldn't add an extra check for a case that is low likely to happen

[frangio]

IMO it send the wrong signal that you can set a delay, and emit the corresponding event, when you know the delay will never be enforced

This is an interesting point, but this is the grant delay for a role that every account automatically has. Observing RoleGrantDelayChanged for such a role should provide no information. I can't think of any incorrect conclusion someone could draw from this event.

[Amxx]

I can't think of any incorrect conclusion someone could draw from this event.

I can imagine someone thinking that new user (if that means anything) are in the grant role with a delay. For example that when a create a new seedphrase/private key (or when I create a new account smart contract) I'll get in the public group after a delay.

Sure that makes no sens, but I'm pretty sure some people out these will believe that.

[Amxx]

Note that in _setRoleAdmin and _setRoleGuardian we don't allow setting the admin/guardian for the PUBLIC_ROLE. I'm not sure why that would be forbiden, but setting the grantDelay would be authorized.

[ernestognw]

After a sync we agreed to keep the initial PUBLIC_ROLE check in _setGrantDelay and make no changes to other functions. I'm reverting this change and pushing an update.

[Amxx]

LGTM, with a minor comment.

[frangio]

What do we do with:

openzeppelin-contracts/contracts/governance/extensions/GovernorTimelockAccess.sol

Line 195 in 2472e51

bytes4 selector = bytes4(calldatas[i]);

openzeppelin-contracts/contracts/access/manager/AccessManaged.sol

Line 109 in 2472e51

bytes4(data)

[Amxx]

In AccessManaged, we could do

function _checkCanCall(address caller, bytes calldata data) internal virtual {
  if (data.length < 4) {
    revert AccessManagedUnauthorized(caller);
  }
  (bool immediate, uint32 delay) = AuthorityUtils.canCallWithDelay(
  ...
}

[Amxx]

In the governor whe should definitelly not revert. We don't know where the proposed call is going. Could be calling a fallback function, or a custom contract that doesn't use 4 bytes selectors.

Maybe we should do

        for (uint256 i = 0; i < targets.length; ++i) {
            if (calldatas[i].length >= 4) {
              address target = targets[i];
              bytes4 selector = bytes4(calldatas[i]);
              (bool immediate, uint32 delay) = AuthorityUtils.canCallWithDelay(
                  address(_manager),
                  address(this),
                  target,
                  selector
              );
              if ((immediate || delay > 0) && !isAccessManagerIgnored(target, selector)) {
                  _setManagerData(plan, i, !immediate, 0);
                  // downcast is safe because both arguments are uint32
                  neededDelay = uint32(Math.max(delay, neededDelay));
              }
          }
        }

[frangio]

My opinion is:

• AccessManaged: Panic. This is dev error, they used the modifier on the fallback function or something like that
• GovernorTimelockAccess: Add if (calldatas[i].length < 4) continue;. Not doing this is arguably a bug?

[Amxx]

GovernorTimelockAccess: Add if (calldatas[i].length < 4) continue;. Not doing this is arguably a bug?

yes

[ernestognw]

In AccessManaged there's no way of getting less than 4 bytes calldata, so I agree with Fran.

For the case of GovernorTimelockAccess that's definitely a bug. However, I'm not sure if if (calldatas[i].length < 4) continue; is the best idea because it will just ignore the operation while the proposalId will include such operation in the hash and will still attempted to execute

I'd rather panic as well.

[frangio]

The operation will not be ignored, as far as I can tell. We would just never ask the AccessManager about that operation, and it would be executed directly on the target.