Project 2: Poll account is not validated in InitializeCandidate instruction #64
Description
In the InitializeCandidate instruction, the poll_account field is not constrained using PDA seeds (seeds / bump).
As a result, a candidate can be created with any poll_account, it might be a wrong poll_id or non-existing one as well. Adding a PDA constraint to the poll_account would ensure that the poll exists and matches the provided poll_id.
The code:
#[derive(Accounts)]
#[instruction(poll_id: u64, candidate: String)]
pub struct InitializeCandidate<'info> {
#[account(mut)]
pub signer: Signer<'info>,
pub poll_account: Account<'info, PollAccount>,
#[account(
init,
payer = signer,
space = 8 + CandidateAccount::INIT_SPACE,
seeds = [poll_id.to_le_bytes().as_ref(), candidate.as_ref()],
bump
)]
pub candidate_account: Account<'info, CandidateAccount>,
pub system_program: Program<'info, System>,
}