Fixing freeze plugin update permissions.

clients/js/test/plugins/asset/delegate.test.ts

@@ -123,6 +123,7 @@ test('a delegate can freeze the token', async (t) => {
       __kind: 'Freeze',
       fields: [{ frozen: true }],
     },
+    authority: delegateAddress,
   }).sendAndConfirm(umi);
 
   const asset = await fetchAssetWithPlugins(umi, assetAddress.publicKey);

programs/mpl-core/src/plugins/freeze.rs

@@ -69,13 +69,17 @@ impl PluginValidation for Freeze {
         _args: &crate::processor::UpdatePluginArgs,
         authorities: &[Authority],
     ) -> Result<ValidationResult, solana_program::program_error::ProgramError> {
-        if !self.frozen
-            && ((ctx.authority.key == &asset.owner && authorities.contains(&Authority::Owner))
-                || (ctx.authority.key == &asset.update_authority.key()
-                    && authorities.contains(&Authority::UpdateAuthority))
-                || authorities.contains(&Authority::Pubkey {
-                    address: *ctx.authority.key,
-                }))
+        // The owner can't update the freeze status.
+        if (ctx.authority.key != &asset.owner
+            && (ctx.authority.key == &asset.update_authority.key()
+                && authorities.contains(&Authority::UpdateAuthority))
+            || authorities.contains(&Authority::Pubkey {
+                address: *ctx.authority.key,
+            }))
+            // Unless the owner is the only authority.
+            || (ctx.authority.key == &asset.owner
+                && authorities.contains(&Authority::Owner)
+                && authorities.len() == 1)
         {
             Ok(ValidationResult::Approved)
         } else {

programs/mpl-core/src/processor/update_plugin.rs

@@ -46,6 +46,8 @@ pub(crate) fn update_plugin<'a>(
         //TODO: Handle plugins that are dynamically sized.
         args.plugin
             .save(ctx.accounts.asset_address, registry_record.offset)?;
+    } else {
+        return Err(MplCoreError::InvalidAuthority.into());
     }
 
     Ok(())