0
votes

I am using testrpc and web3.

I used the idiom below to ensure that only a previously defined user should be able to do something:

function doSomethingProtected() {
        if ( msg.sender != authorizedUser )
                throw;

        flagSomething = true;
   }

When calling the function on an instantiated contract with web3 as follows:

myContract.doSomethingProtected( { from: "0x..." } );

it worked. At first I was pleased but then I realized the web3 API had not required me to provide any passphrase for a private key or such like.

Can anyone with the simple knowledge of someones public key/address call this function?

The use of this idiom in the examples led me to believe a benefit of the Ethereum contracts was that it ensured msg.sender was cryptographically assured.

4

4 Answers

2
votes

The reason is that you are using testRPC, which doesn't lock it's accounts, so you don't need a password.

If you were to do this with geth, you would need to unlock the account before sending from it.

Without the private key, that function will throw an error, so you are correct in using that authorization method.

2
votes

It's difficult to be certain without seeing more of your code, but it seems likely that you were calling the contract on your local node, rather than sending a transaction. Transactions can only be signed by someone with the account's private key, meaning you can rely on msg.sender to be accurate, but messages executed on your local node won't enforce that. Any changes they make are rolled back and not applied to state, though, so it doesn't matter what your local call does.

1
votes

In general, there are two ways to call a function from web3.js: Using a transaction or just using a "call". Only in transactions you can actually modify the blockchain content (reading is always possible). Transactions always require a valid signature and thus access to a private key.

The reason you were not asked for a password might be that you already unlocked the account. Furthermore, users other than the authorized user can call the function, only the changes will be thrown away.

0
votes

My guess is that your account was already unlocked when calling the function. I don't remember the exact period that your account is unlocked after unlocking it in web3. I might be wrong though. Would have added this as a comment, but I am not allowed right now.