safeTransferFrom being called by Anyone once setApprovalForAll is called

Smart Contracts
1

I have the following function in my ERC721 Smart Contract:

function tokTransfer(address payable from, address to, uint256 tokenId, uint256 price) external payable {
    require(msg.value >= price);
    this.safeTransferFrom(from, to, tokenId);
    AddressUpgradeable.sendValue(from, price);
}

I am calling this function from my front-end Dapp using the following:

this.contInst.methods.tokTransfer(tokOwner, this.account, TokenId, PriceBN).send({
  from: this.account, // Corresponds to Purchaser Account
  value: this.web3.utils.toWei(PriceStr, 'ether')
 })

Token owners have called the setApprovalForAll on my Smart Contract, granting it authorisation to sell their tokens on their behalf. However, I am able to call this function directly in Truffle with the following statement (using the Purchaser account (i.e. accounts[2]) as the _msgSender):

instance.tokTransfer(accounts[1], accounts[2], 1001, '2500000000', {from: accounts[2], value: '2500000000'})

How can I actually call my function, which itself calls the safeTransferFrom OpenZeppelin function, while the Sender (_msgSender) of the Transaction does not satisfy the require statement in the function below? Am I misinterpreting the _msgSender value, or non properly understanding something?

    function safeTransferFrom(
        address from,
        address to,
        uint256 tokenId,
        bytes memory _data
    ) public virtual override {
        require(_isApprovedOrOwner(_msgSender(), tokenId), "ERC721: transfer caller is not owner nor approved");
        _safeTransfer(from, to, tokenId, _data);
    }

Thank you. J

2

Did you actually run into an error? If so, which one?

The sender does satisfy the require statement "is approved or owner" because it is approved, if your users called setApprovalForAll with the address of the smart contract.

3

Thank you @frangio No, no error, but this is the issue. The setApprovalForAll function (which is: "function setApprovalForAll(address operator, bool approved)") was called with my Contract as the operator parameter. Doesn't this imply that only my Contract was approved as a seller? According to the documentation, the setApprovalForAll function is to authorise a specific address to sell ALL the Tokens of a specific owner, but does not grant anyone to sell the said tokens. Currently, anyone, even if they are not part of the setApprovalForAll mapping (referenced above) can actually call the safeTransferFrom function. Shouldn't only the addresses part of the mapping be authorised to call it? I believe that this is a glitch (which could create a major vulnerability for some Smart Contracts already deployed) in the way this function is supposed to work.

This is well explained at the following link, towards the beginning under the "Autorised" header: https://anallergytoanalogy.medium.com/jumping-into-solidity-the-erc721-standard-part-4-ad21e3a5d9c

4

For anyone reading, the function is behaving as expected. It's explained here:

5

HI could you please explain with contract example the safeTransferFrom method with regards to preventing [ERC721: transfer caller is not owner nor approved] Error thanks

6

@cristiano You need to either be the owner of the token you wish to transfer or execute the setApprovalForAll or approve for one specific token beforehand if you wish to avoid this error, as clearly explained here.

7

perhaps some clean example using 2 contracts one having a mint function the other having a forsale function had be nice

8

It would be great if someone could write up a very simple example to demonstrate the use of safeTransferFrom together with approvals, in an ERC721 marketplace contract.