From 4e236423a6f2ead35f3d3e5f5ecb522a193a4949 Mon Sep 17 00:00:00 2001
From: blockiosaurus <blockiosaurus@gmail.com>
Date: Fri, 1 Mar 2024 16:55:43 -0500
Subject: [PATCH] Fixing freeze plugin update permissions.

---
 clients/js/test/plugins/asset/delegate.test.ts |  1 +
 programs/mpl-core/src/plugins/freeze.rs        | 18 +++++++++++-------
 .../mpl-core/src/processor/update_plugin.rs    |  2 ++
 3 files changed, 14 insertions(+), 7 deletions(-)

diff --git a/clients/js/test/plugins/asset/delegate.test.ts b/clients/js/test/plugins/asset/delegate.test.ts
index d27f094c..043137f3 100644
--- a/clients/js/test/plugins/asset/delegate.test.ts
+++ b/clients/js/test/plugins/asset/delegate.test.ts
@@ -123,6 +123,7 @@ test('a delegate can freeze the token', async (t) => {
       __kind: 'Freeze',
       fields: [{ frozen: true }],
     },
+    authority: delegateAddress,
   }).sendAndConfirm(umi);
 
   const asset = await fetchAssetWithPlugins(umi, assetAddress.publicKey);
diff --git a/programs/mpl-core/src/plugins/freeze.rs b/programs/mpl-core/src/plugins/freeze.rs
index 064b573e..6a076f51 100644
--- a/programs/mpl-core/src/plugins/freeze.rs
+++ b/programs/mpl-core/src/plugins/freeze.rs
@@ -69,13 +69,17 @@ impl PluginValidation for Freeze {
         _args: &crate::processor::UpdatePluginArgs,
         authorities: &[Authority],
     ) -> Result<ValidationResult, solana_program::program_error::ProgramError> {
-        if !self.frozen
-            && ((ctx.authority.key == &asset.owner && authorities.contains(&Authority::Owner))
-                || (ctx.authority.key == &asset.update_authority.key()
-                    && authorities.contains(&Authority::UpdateAuthority))
-                || authorities.contains(&Authority::Pubkey {
-                    address: *ctx.authority.key,
-                }))
+        // The owner can't update the freeze status.
+        if (ctx.authority.key != &asset.owner
+            && (ctx.authority.key == &asset.update_authority.key()
+                && authorities.contains(&Authority::UpdateAuthority))
+            || authorities.contains(&Authority::Pubkey {
+                address: *ctx.authority.key,
+            }))
+            // Unless the owner is the only authority.
+            || (ctx.authority.key == &asset.owner
+                && authorities.contains(&Authority::Owner)
+                && authorities.len() == 1)
         {
             Ok(ValidationResult::Approved)
         } else {
diff --git a/programs/mpl-core/src/processor/update_plugin.rs b/programs/mpl-core/src/processor/update_plugin.rs
index 27905861..763953f1 100644
--- a/programs/mpl-core/src/processor/update_plugin.rs
+++ b/programs/mpl-core/src/processor/update_plugin.rs
@@ -46,6 +46,8 @@ pub(crate) fn update_plugin<'a>(
         //TODO: Handle plugins that are dynamically sized.
         args.plugin
             .save(ctx.accounts.asset_address, registry_record.offset)?;
+    } else {
+        return Err(MplCoreError::InvalidAuthority.into());
     }
 
     Ok(())