[DRAFT] Implement access controls for Position objects #130
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Member
jordanschalm
commented
Jan 30, 2026
jordanschalm
commented
Convert Position from struct to resource type with entitlements-based access control. This addresses the TODO at line 3596 and the security concern at line 2640 regarding position access permissions. Key changes: - Added new position-specific entitlements (EPositionDeposit, EPositionWithdraw, EPositionConfigure, EPositionManage) - Converted Position struct to resource type with fine-grained entitlement controls - Updated Pool.createPosition() to return @position resource instead of UInt64 - Added storage path helper functions (getPositionStoragePath, getPositionPublicPath) - Removed PositionWrapper pattern in favor of direct Position resource storage - Updated all test transactions to work with Position resources - Position resources are now held in user accounts with proper ownership Breaking changes: - Pool.createPosition() returns @position instead of UInt64 - Position can no longer be manually constructed - All position operations require appropriate entitlements - Users must store Position resources in their accounts https://claude.ai/code/session_01QbCEFZ42NrxU7hdZo7KWPw
Resolved conflicts in the following files: - cadence/tests/funds_available_above_target_health_test.cdc:11-17 Reasoning: Redundant variable declarations that were moved to test_helpers.cdc Resolution: Removed local declarations (flowTokenIdentifier, moetTokenIdentifier, flowVaultStoragePath) as they are now imported from test_helpers.cdc - cadence/tests/funds_required_for_target_health_test.cdc:12-18 Reasoning: Same refactoring - constants moved to shared test_helpers.cdc Resolution: Removed local declarations in favor of imported constants from test_helpers.cdc - cadence/tests/position_lifecycle_happy_test.cdc:15-20 Reasoning: Same refactoring - constants moved to shared test_helpers.cdc Resolution: Removed local declarations (flowTokenIdentifier, flowVaultStoragePath) in favor of imported constants - cadence/tests/position_lifecycle_happy_test.cdc:88-92 Reasoning: Conflicting transaction parameter - positionId (HEAD) vs WRAPPER_STORAGE_PATH (origin/main) Resolution: Kept positionId parameter from HEAD, as the transaction file (repay_and_close_position.cdc:18) expects positionId: UInt64 parameter, not a storage path Co-Authored-By: Claude Sonnet 4.5 <[email protected]>
Test transactions now borrow Position references directly from PositionManager instead of calling proxy methods. This follows the pattern where PositionManager only provides core collection functionality (add, remove, borrow) and users interact directly with Position objects. Changes: - borrow_from_position.cdc: Borrow Position and call withdraw() directly - deposit_to_wrapped_position.cdc: Borrow Position, auto-find position ID, and call depositAndPush() directly - repay_and_close_position.cdc: Borrow Position and call methods directly - flow.json: Add missing test contracts (UniswapV2SwapConnectors, TokenA, TokenB, EVMAbiHelpers) All 31 tests now passing. Co-Authored-By: Claude Sonnet 4.5 <[email protected]>
Co-Authored-By: Claude Sonnet 4.5 <[email protected]>
Add createPositionPublic() wrapper function to Pool that allows anyone to create positions without requiring beta grant capabilities. Remove MockFlowCreditMarketConsumer infrastructure and replace with direct Position operations via PositionManager. All tests passing (31/31). Changes: - Add Pool.createPositionPublic() public wrapper function - Remove MockFlowCreditMarketConsumer contract and transactions - Add position-manager transactions for deposit/borrow operations - Update all tests to use public creation pattern - Remove grantPoolCapToConsumer() helper function Co-Authored-By: Claude Sonnet 4.5 <[email protected]>
Replace the wrapper function approach with a simpler solution: change createPosition() from access(EParticipant) to access(all). This allows the function to be called through the existing public Pool capability without requiring a wrapper or attempting to publish entitled capabilities (which Cadence runtime prevents). Key insight: Cadence prevents publishing auth(E) capabilities to public paths at runtime, so the cleaner approach is to change the function's access level directly rather than working around it with wrappers. Changes: - Change Pool.createPosition() from access(EParticipant) to access(all) - Remove createPositionPublic() wrapper function (no longer needed) - Update transaction to use standard PoolPublicPath - All 31 tests passing Co-Authored-By: Claude Sonnet 4.5 <[email protected]>
- Update Position storage paths to camelCase with address suffix - Remove EPositionDeposit entitlement (deposits now access(all)) - Replace EPositionWithdraw with FungibleToken.Withdraw - Remove EpositionAdmin entitlement (unused) - Add documentation for EPositionManage entitlement - Remove beta grant references from documentation - Clean up changeset-specific comments Co-Authored-By: Claude Sonnet 4.5 <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.