A Substrate pallet for account-level filtering/permissioning.
The pallet maintains a allow-list of accounts that are permitted to submit extrinsics. Sudo (or any other governance mechanism, when supported) could be used to add and remove accounts from this list.
The filtering of incoming extrinsics and their sender accounts is done during the transaction queue validation, using the SignedExtension
trait.
- Add the module's dependency in the
Cargo.toml
of yourruntime
directory. Make sure to enter the correct path or git url of the pallet as per your setup.
[dependencies.account_filter]
package = 'substrate-account-filter'
git = 'https://github.com/gautamdhameja/substrate-account-filter.git'
default-features = false
- Declare the pallet in your
runtime/src/lib.rs
.
pub use account_filter;
impl account_filter::Config for Runtime {
type Event = Event;
}
construct_runtime!(
pub enum Runtime where
Block = Block,
NodeBlock = opaque::Block,
UncheckedExtrinsic = UncheckedExtrinsic
{
...
...
...
AccountFilter: account_filter::{Module, Call, Storage, Event<T>, Config<T>},
}
);
- Add the module's
AllowAccount
type in theSignedExtra
checklist.
pub type SignedExtra = (
...
...
balances::TakeFees<Runtime>,
account_filter::AllowAccount<Runtime>
- Add a genesis configuration for the module in the
src/chain_spec.rs
file. This configuration adds the initial account ids to the account allow-list.
use node_template_runtime::{..., AccountFilterConfig};
...
account_filter: Some(AccountFilterConfig {
allowed_accounts: vec![
(get_account_id_from_seed::<sr25519::Public>("Alice"), ()),
(get_account_id_from_seed::<sr25519::Public>("Bob"), ())],
}),
cargo build --release
and thencargo run --release -- --dev
When the node starts, only the AccountId
s added in the genesis config of this module will be able to send extrinsics to the runtime. This means that you should not leave the genesis config empty or else no one will be able to submit any extrinsics.
New AccountId
s can be added to the allow-list by calling the pallet's add_account
function using root
key as origin.
The usage of this pallet are demonstrated in the Substrate permissioning sample.
- The addition and removal of
AccountId
s to the allow-list can also be done using other governance methods instead of root. - The logic can be reversed to maintain a deny-list of accounts to prevent those
AccountId
s from sending extrinsics.
This code not audited and reviewed for production use cases. You can expect bugs and security vulnerabilities. Do not use it as-is in real applications.