- detector id:
nft-owner-check - severity: high
In the design of the NEP178, the owner of the NFT can approve or revoke approvals by using the specified interfaces (ie, nft_approve, nft_revoke and nft_revoke_all). An owner check should be implemented for these interfaces to make sure they are callable to the owner only, otherwise, anyone can modify the approvals of the NFT.
Code in near-contract-standards shows the correct implementation.
// should be implemented for `nft_approve`, `nft_revoke` and `nft_revoke_all`
let owner_id = expect_token_found(self.owner_by_id.get(&token_id));
let predecessor_account_id = env::predecessor_account_id();
require!(predecessor_account_id == owner_id, "Predecessor must be token owner.");