Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

🐛 Treasury Proposal Creation Allowed Without Receiving Stake Address and Amount #2435

Open
kneerose opened this issue Nov 28, 2024 · 7 comments
Open

🐛 Treasury Proposal Creation Allowed Without Receiving Stake Address and Amount #2435

kneerose opened this issue Nov 28, 2024 · 7 comments
Assignees
@nebojsact
Labels
🐛 Bug Something isn't working 📜 Proposal Pillar
Milestone
🏛 Needed for Full...

Comments

@kneerose
Copy link
Contributor

Area

Proposal Pillar

Domain

dev-sanchogov.tools

Which wallet were you using?

No response

Context

While creating a treasury proposal, the "Receiving Stake Address" and "Amount" fields are marked as required. However, it is possible to proceed to the next step even if these fields are left empty. As a result, I can create a treasury proposal without providing a receiving stake address or amount. When attempting to submit this proposal to the governance action, an error occurs.

To prevent this issue, the Continue button should be disabled and proposal creation should be rejected if the "Receiving Stake Address" or "Amount" field is empty or invalid.

Steps to reproduce

  1. Connect your wallet.
  2. Navigate to the Create Proposal form.
  3. Select the governance action type Treasury.
  4. Fill in all required fields except "Receiving Stake Address" and "Amount."
  5. Observe that the Continue button is enabled, allowing submission of a treasury proposal without these fields.
  6. Submit the incomplete proposal to governance action.
  7. Observe the error message displayed.

Actual behavior

  • The Continue button is enabled even when "Receiving Stake Address" and "Amount" fields are empty or invalid.

image

  • for wrong "Receiving Stake Address" address and "Amount"

image

image

  • A treasury proposal can be created without these required fields.

image

  • An error occurs upon submitting the incomplete proposal to governance action.

image

Expected behavior

  • Treasury proposal creation should be rejected if the "Receiving Stake Address" or "Amount" field is empty or invalid.
  • The Continue button should be disabled until both fields are correctly filled.
@kneerose kneerose added the 🐛 Bug Something isn't working label Nov 28, 2024
@nebojsact nebojsact moved this to In progress in Govtool all Nov 28, 2024
@sentry-io Sentry.io
Copy link

sentry-io bot commented Nov 28, 2024

Sentry Issue: GOVTOOL-FRONTEND-A9

This was referenced Nov 29, 2024
Merged
Merged
Merged
Merged
@nebojsact nebojsact moved this from In progress to In QA in Govtool all Nov 29, 2024
@kneerose
Copy link
Contributor Author

kneerose commented Dec 5, 2024
edited
Loading

@nebojsact , The frontend correctly prevents proceeding to the next step in treasury proposal creation if the "Receiving Stake Address" or "Amount" fields are empty or invalid. This functionality ensures user input validation on the client side.
image

However, the backend currently allows the creation of treasury proposals without validating these fields, resulting in inconsistent behavior.

Example: Creating a Treasury Proposal Without "Receiving Stake Address" or "Amount"

The following curl command demonstrates how a treasury proposal can be created via the backend API without providing the "Receiving Stake Address" or "Amount":

curl 'https://z74f91f2d-zb0719f09-gtw.z937eb260.rustrocks.fr/api/proposals' \
  -H 'accept: application/json, text/plain, */*' \
  -H 'accept-language: en,en-GB;q=0.9,en-US;q=0.8' \
  -H 'authorization: Bearer xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' \
  -H 'content-type: application/json' \
  -H 'origin: https://dev-sanchonet.govtool.byron.network' \
  -H 'priority: u=1, i' \
  -H 'referer: https://dev-sanchonet.govtool.byron.network/' \
  -H 'sec-ch-ua: "Google Chrome";v="131", "Chromium";v="131", "Not_A Brand";v="24"' \
  -H 'sec-ch-ua-mobile: ?0' \
  -H 'sec-ch-ua-platform: "Linux"' \
  -H 'sec-fetch-dest: empty' \
  -H 'sec-fetch-mode: cors' \
  -H 'sec-fetch-site: cross-site' \
  -H 'user-agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36' \
  --data-raw '{"data":{"proposal_links":[],"proposal_withdrawals":[],"gov_action_type_id":2,"prop_name":"testWithCurl","prop_abstract":"asd","prop_motivation":"asd","prop_rationale":"aasd","is_draft":false}}'

image

Example: Creating a Proposal With an Invalid Stake Address

The backend also allows proposals to be created with an incorrect stake address. The following example uses an invalid "Receiving Stake Address" (stake1):

curl 'https://z74f91f2d-zb0719f09-gtw.z937eb260.rustrocks.fr/api/proposals' \
  -H 'accept: application/json, text/plain, */*' \
  -H 'accept-language: en,en-GB;q=0.9,en-US;q=0.8' \
  -H 'authorization: Bearer XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' \
  -H 'content-type: application/json' \
  -H 'origin: https://dev-sanchonet.govtool.byron.network' \
  -H 'priority: u=1, i' \
  -H 'referer: https://dev-sanchonet.govtool.byron.network/' \
  -H 'sec-ch-ua: "Google Chrome";v="131", "Chromium";v="131", "Not_A Brand";v="24"' \
  -H 'sec-ch-ua-mobile: ?0' \
  -H 'sec-ch-ua-platform: "Linux"' \
  -H 'sec-fetch-dest: empty' \
  -H 'sec-fetch-mode: cors' \
  -H 'sec-fetch-site: cross-site' \
  -H 'user-agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36' \
  --data-raw '{"data":{"proposal_links":[],"proposal_withdrawals":[{"prop_receiving_address":"stake1","prop_amount":"1232"}],"gov_action_type_id":2,"prop_name":"asd","prop_abstract":"afdsfdsfg","prop_motivation":"fdgdfg","prop_rationale":"dfg","is_draft":false}}'

Note

  • Ensure the backend validates both the "Receiving Stake Address" and "Amount" fields.
  • Reject any requests with:
    - Empty "Receiving Stake Address".
    - Invalid or malformed "Receiving Stake Address".
    - Missing or non-numeric "Amount".

CC: @bosko-m

@nebojsact nebojsact moved this from In QA to In progress in Govtool all Dec 5, 2024
This was referenced Dec 5, 2024
Merged
Merged
Merged
Merged
@nebojsact nebojsact moved this from In progress to In QA in Govtool all Dec 5, 2024
@kneerose
Copy link
Contributor Author

kneerose commented Dec 9, 2024

@nebojsact I am still able to reproduce this issue. Could you confirm in which version of the PDFUI this issue is fixed? I believe the current PDFUI version is v0.5.4 on dev.
image

CC: @bosko-m

@nebojsact
Copy link

nebojsact commented Dec 9, 2024 via email

@kneerose
Copy link
Contributor Author

@MSzalowski , I am unable to test this as the new PDF version has not been updated in the dev environment. Could you please update it to the latest version?
CC: @bosko-m

@kneerose
Copy link
Contributor Author

@nebojsact , has the latest version of the backend been updated? I am still able to reproduce this issue.

@bosko-m
Copy link
Contributor

bosko-m commented Dec 10, 2024

As soon as we have a deployment to preview, you will be able to test it @kneerose

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nebojsact nebojsact

Labels
🐛 Bug Something isn't working 📜 Proposal Pillar
Projects
Governance Tools Community Backlog
Status: No status
Govtool all
Status: In QA
Milestone
🏛 Needed for Full governance / Mainnet
Development

No branches or pull requests
3 participants
@nebojsact @kneerose @bosko-m