Before the multi-party submission feature it was obvious who are the controllers of a choice, in other words who can exercise that choice.
For example take a look the following code:
template Example with owner : Party observers : Set Party where signatory owner observer observers nonconsuming choice GetAnswer : Int with actor : Party controller actor do pure 42
Without multi-party submission one could state that only the stakeholders can exercise
GetAnswer, id est the
owner or any of the
That reasoning could be made purely by looking at the Daml code.
With multi-party submission the following is possible:
example_test : Script () example_test = do alice <- allocateParty "Alice" bob <- allocateParty "Bob" example <- alice `submit` createCmd Example with owner = alice, observers = Set.singleton alice submitMustFail bob $ exerciseCmd example GetAnswer with actor = bob answer <- submitMulti [bob] [alice] $ exerciseCmd example GetAnswer with actor = bob 42 === answer
So, although “Bob” does not have direct access to the contract (
submitMustFail succeeds), he can exercise the choice if is granted indirect visibility from “Alice”.
How should I think about this? Is it true that I cannot reason about the visibility of a Daml model any more just by looking at the code?