Allow any address holding the REVOKER_ROLE to revoke tokens #37

[shrilakshmikakati]

Addressed Issues:

Fixes #(TODO:issue number)

Screenshots/Recordings:

TODO: If applicable, add screenshots or recordings that demonstrate the interface before and after the changes.

Additional Notes:

AI Usage Disclosure:

We encourage contributors to use AI tools responsibly when creating Pull Requests. While AI can be a valuable aid, it is essential to ensure that your contributions meet the task requirements, build successfully, include relevant tests, and pass all linters. Submissions that do not meet these standards may be closed without warning to maintain the quality and integrity of the project. Please take the time to understand the changes you are proposing and their impact. AI slop is strongly discouraged and may lead to banning and blocking. Do not spam our repos with AI slop.

Check one of the checkboxes below:

• [✔] This PR does not contain AI-generated code at all.
• This PR contains AI-generated code. I have read the AI Usage Policy and this PR complies with this policy. I have tested the code locally and I am responsible for it.

I have used the following AI models and tools: TODO

Checklist

• [ ✔ ] My PR addresses a single issue, fixes a single bug or makes a single improvement.
• [ ✔ ] My code follows the project's code style and conventions
• If applicable, I have made corresponding changes or additions to the documentation
• If applicable, I have made corresponding changes or additions to tests
• [ ✔ ] My changes generate no new warnings or errors
• [ ✔ ] I have joined the Discord server and I will share a link to this PR with the project maintainers there
• [ ✔] I have read the Contribution Guidelines
• [ ✔] Once I submit my PR, CodeRabbit AI will automatically review it and I will address CodeRabbit's comments.
• [ ✔ ] I have filled this PR template completely and carefully, and I understand that my PR may be closed without review otherwise.

Images

• before

**after**

Summary by CodeRabbit

Release Notes

• Bug Fixes
  • Updated token revocation logic to properly enforce revokability status, ensuring tokens can only be revoked when designated as revokable.

[coderabbitai]

Walkthrough

Modified the revokeToken function in TNT.sol to enforce a revokability check instead of verifying the caller is the token issuer. Replaced the NotIssuer authorization check with a NotRevokable check, enabling token revocation by non-issuer addresses while maintaining other token cleanup logic.

Changes

Cohort / File(s)	Summary
Token Revocation Authorization contracts/src/TNT.sol	Modified revokeToken authorization: removed NotIssuer check, added NotRevokable check to enforce revokability eligibility regardless of caller identity.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related issues

• [BUG]:Allow any address holding the REVOKER_ROLE to revoke tokens #37: Directly addresses the goal of allowing non-issuer addresses (e.g., REVOKER_ROLE) to revoke tokens by removing the strict NotIssuer() check in revokeToken().

Possibly related PRs

• Minor changes #25: Modifies the same revokeToken function in contracts/src/TNT.sol, though focused on identifier naming changes rather than authorization logic.

Suggested labels

Solidity Lang

Poem

🐰 A token's fate now rests not on who signs,
But whether its revokable spark still shines—
Permission granted where roles can decree,
Flexibility blooms, wild and free! ✨

🚥 Pre-merge checks | ✅ 2

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: removing the issuer-only restriction to allow any REVOKER_ROLE holder to revoke tokens, which directly matches the core modification in the changeset.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

Tip

Try Coding Plans. Let us write the prompt for your AI agent so you can ship faster (with fewer bugs).
Share your feedback on Discord.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

contracts/src/TNT.sol (1)

78-88: ⚠️ Potential issue | 🟠 Major

Add regression tests for the widened revoke authority.

This changes a security-sensitive authorization path, but there are no companion tests here proving that a non-issuer with REVOKER_ROLE can now revoke while callers without the role and non-revokable contracts still revert. Please add those cases before merge.

As per coding guidelines, "Verify that any modification to contract logic includes corresponding updates to automated tests." and "Ensure security-sensitive logic changes are not introduced without adequate test coverage."

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@contracts/src/TNT.sol` around lines 78 - 88, Add regression tests covering
the widened revoke authority in revokeToken: create scenarios where (1) an
account granted REVOKER_ROLE (but not the issuer) successfully calls revokeToken
and emits TokenRevoked, (2) an account without REVOKER_ROLE is rejected (expect
revert), and (3) when revokable is false revokeToken reverts with NotRevokable;
also include a test that when the revoked owner's token list becomes empty the
IFactory.unregisterToken(address) path is invoked. Use the revokeToken function
name, REVOKER_ROLE, revokable/NotRevokable check, and verify
IFactory.unregisterToken is called as part of the flow.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In `@contracts/src/TNT.sol`:
- Around line 78-88: Add regression tests covering the widened revoke authority
in revokeToken: create scenarios where (1) an account granted REVOKER_ROLE (but
not the issuer) successfully calls revokeToken and emits TokenRevoked, (2) an
account without REVOKER_ROLE is rejected (expect revert), and (3) when revokable
is false revokeToken reverts with NotRevokable; also include a test that when
the revoked owner's token list becomes empty the
IFactory.unregisterToken(address) path is invoked. Use the revokeToken function
name, REVOKER_ROLE, revokable/NotRevokable check, and verify
IFactory.unregisterToken is called as part of the flow.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 64d1b58f-ae99-4390-8d85-44ae21484fce

📥 Commits

Reviewing files that changed from the base of the PR and between cfee5d7 and 9149367.

📒 Files selected for processing (1)

• contracts/src/TNT.sol