From 61318e894082fa5481aa8c42a1a73862e3cd0970 Mon Sep 17 00:00:00 2001
From: Luk Lu <luk.lu@faronear.org>
Date: Thu, 27 Feb 2020 20:02:35 +0800
Subject: [PATCH] =?UTF-8?q?ActionTransfer:=20=E5=BF=85=E9=A1=BB=E6=A3=80?=
 =?UTF-8?q?=E6=9F=A5=E5=8F=91=E8=B5=B7=E4=BA=BA=E5=9C=B0=E5=9D=80=E5=92=8C?=
 =?UTF-8?q?=E5=85=AC=E9=92=A5=E6=98=AF=E5=8C=B9=E9=85=8D=E7=9A=84=EF=BC=8C?=
 =?UTF-8?q?=E5=90=A6=E5=88=99=E5=AE=A2=E6=88=B7=E7=AB=AF=E8=83=BD=E5=A4=9F?=
 =?UTF-8?q?=E9=80=A0=E5=81=87?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 Action.js         | 1 +
 ActionTransfer.js | 7 +++++--
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/Action.js b/Action.js
index f5399e2..f78ff69 100644
--- a/Action.js
+++ b/Action.js
@@ -126,6 +126,7 @@ DAD._initTypeDict = function(typedActionDict) {
 DAD.build = async function (action, keypair) { // Applicable on client. 客户端调用 Action.build，即可新建、并打包成一个完整的子事务，不需要亲自调用 constructor, packMe 等方法。 
   if (action && action.type && keypair && keypair.seckey && keypair.pubkey) {
     let typedAction = new wo[action.type](action)
+    typedAction.actorPubkey = keypair.pubkey
     if (typedAction.validateMe()) {
       await typedAction.packMe(keypair)
       return typedAction
diff --git a/ActionTransfer.js b/ActionTransfer.js
index 47248ff..1b32121 100644
--- a/ActionTransfer.js
+++ b/ActionTransfer.js
@@ -1,4 +1,5 @@
 const Action = require('./Action.js')
+const ticCrypto = require('tic.crypto')
 
 const DAD = module.exports = function ActionTransfer (prop) {
   this._class = this.constructor.name
@@ -12,8 +13,10 @@ MOM.__proto__ = Action.prototype
 
 MOM.validateMe = function () {
   // if (sender && sender.type !== 'multisig' && action.toAddress != action.actorAddress && sender.balance >= action.amount + action.fee){
-  return this.actorAddress && this.toAddress && this.toAddress != this.actorAddress 
-    && this.amount && this.amount > 0 && (this.fee >= wo.Config.MIN_FEE_ActionTransfer || 0)
+  return this.actorAddress && this.actorPubkey && ticCrypto.pubkey2address(this.actorPubkey)=== this.actorAddress // 必须检查发起人地址和公钥是匹配的，否则客户端能够造假
+    && this.toAddress && this.toAddress != this.actorAddress 
+    && this.amount && this.amount > 0 && (this.fee >= 0)
+   
 }
 
 MOM.executableMe = async function() {