When validating an ARBITRARY transaction, ensure that the supplied name exists and is registered to the account that is signing the transaction.

This ensures that only the owner of a name is able to update data associated with that name.

Note that this doesn't take into account the ability for group members to update a resource, so this will need modifying when that feature is ultimately introduced (likely after v3.0)

src/main/java/org/qortal/transaction/ArbitraryTransaction.java

@@ -2,12 +2,14 @@ package org.qortal.transaction;
 
 import java.math.BigInteger;
 import java.util.List;
+import java.util.Objects;
 import java.util.stream.Collectors;
 
 import org.qortal.account.Account;
 import org.qortal.crypto.Crypto;
 import org.qortal.crypto.MemoryPoW;
 import org.qortal.data.PaymentData;
+import org.qortal.data.naming.NameData;
 import org.qortal.data.transaction.ArbitraryTransactionData;
 import org.qortal.data.transaction.TransactionData;
 import org.qortal.payment.Payment;
@@ -147,6 +149,21 @@ public class ArbitraryTransaction extends Transaction {
 			}
 		}
 
+		// Check name if one has been included
+		if (arbitraryTransactionData.getName() != null) {
+			NameData nameData = this.repository.getNameRepository().fromName(arbitraryTransactionData.getName());
+
+			// Check the name is registered
+			if (nameData == null) {
+				return ValidationResult.NAME_DOES_NOT_EXIST;
+			}
+
+			// Check that the transaction signer owns the name
+			if (!Objects.equals(this.getCreator().getAddress(), nameData.getOwner())) {
+				return ValidationResult.INVALID_NAME_OWNER;
+			}
+		}
+
 		// Wrap and delegate final payment validity checks to Payment class
 		return new Payment(this.repository).isValid(arbitraryTransactionData.getSenderPublicKey(), arbitraryTransactionData.getPayments(),
 				arbitraryTransactionData.getFee());