Contract CRUD via Access Keys - several PoC Tests Failing for different reasons

[TrevorJTClarke]

Hello all!
I've found some cases that I need help understanding if what I'm trying to achieve is possible, if I'm implementing wrong, or simply minor mistakes. I've created the following repo with 5 cases where I am able to create an account with a contract, but when I try to delete the account with a contract there are not sufficient permissions. As a new dev to NEAR I am a little confused why full access keys do not grant full access including delete actions.

View repo here -- https://gitlab.com/TrevorJTClarke/near-account-crud-tests/
Case Explanations: https://gitlab.com/TrevorJTClarke/near-account-crud-tests/#case-a-doesnt-work-i-believe-it-should
Code Snippets: https://gitlab.com/TrevorJTClarke/near-account-crud-tests/-/blob/master/src/lib.rs

You can see, i am trying to achieve the same effect via cli, contract or combination of both.
Any ideas on what I'm missing?
All help appreciated!

[frol]

Case A: (Doesn't work, I believe it should)

You just don't have the matching account_id with its key-pair on your local machine where you run near CLI, so CLI just cannot sign the transaction, and it has nothing to do with the permissions. You need to have ~/.near-credentials/default/cases-284814421608153814319404013.json with the public/private keys and account id. I don't have any recommendation on how to automate this step via near CLI.

Case B: (Worked! But why?)

When you create an account and have other actions in the same transaction, you have full access to the new account in that context and thus you can add new keys and delete it. FYI, it is not going to work if you split that into individual transactions as those operations will get guarded by the permissions system.

Case C: (Doesn't work, I believe it should)

You are trying to initiate a create account action on behalf of a deleted account, this is not going to work since by the time the execution of the p2 starts, there is no account and no access keys to it. What is the use-case?

Case D: (Doesn't work, I believe it should)

Same as Case A, just a matter of configuration.

Case E: (Doesn't work, I believe it should)

See case B

[TrevorJTClarke]

@frol thanks for your fast reply and explainations!

FYI, it is not going to work if you split that into individual transactions as those operations will get guarded by the permissions system.

Could you explain more here? I think this is what im missing -- If i give a contract full access, is it not able to delete in a separate promise or transaction in the future?

What is the use-case?

I am trying to achieve full account name ownership transfer, it appears the only way to do this is with account deletion and re-creation in the same transaction batch. If there is another way to do this, i'd be happy to know more!

[bowenwang1996]

Could you explain more here? I think this is what im missing -- If i give a contract full access, is it not able to delete in a separate promise or transaction in the future?

Not sure what you mean by "give a contract full access". If you are talking about having a full access key, yes, you can delete the contract with the access key. However, you will not be able to delete some other account.

it appears the only way to do this is with account deletion and re-creation in the same transaction batch

Unfortunately you cannot delete and create account in the same transaction. Delete account can only be the last action.