Closed fulldecent closed 5 years ago
Hey, thanks for the issue!
While I see your point, I think the docs are primarily aimed at the simple case where new developers are using our tooling to generate the main
method of their main class. If contract writers are providing their own main
, then we're assuming they understand enough to interpret the Blockchain.getData()
information as appropriate.
I don't think this poses a security threat, though.
@jennijuju it might be a good idea to make it explicit that the tooling that generates the main
method is only activated if no main
method is provided, and so new developers relying on @Callable
should NOT provide a main
method.
Thanks @arajasek and @fulldecent . I will add an explanation/note to make it more clearer.
Documentation is now public, adding a link :-)
In developers/fundamentals/avm-concepts/callable-functions/
It is documented that @callable is used to annotate a function as callable from outside of the contract.
This is inexact. Actually, @callable annotates a main function which handles all incoming calls and that main function routes calls. But actually you can override that main function, therefore invalidating the claim that @callable functions are actually callable and non-callable functions are not callable.
I consider this a security issue.