feat: Extended PM with permission owner and delegation capabilities

packages/contracts/src/core/dao/DAO.sol

@@ -28,6 +28,7 @@ import {IEIP4824} from "./IEIP4824.sol";
 /// @notice This contract is the entry point to the Aragon DAO framework and provides our users a simple and easy to use public interface.
 /// @dev Public API of the Aragon DAO framework.
 /// @custom:security-contact [email protected]
+/// @custom:oz-upgrades-unsafe-allow constructor constructor delegatecall
 contract DAO is
     IEIP4824,
     Initializable,
@@ -135,7 +136,6 @@ contract DAO is
     }
 
     /// @notice Disables the initializers on the implementation contract to prevent it from being left uninitialized.
-    /// @custom:oz-upgrades-unsafe-allow constructor
     constructor() {
         _disableInitializers();
     }
@@ -251,13 +251,7 @@ contract DAO is
         bytes32 _callId,
         Action[] calldata _actions,
         uint256 _allowFailureMap
-    )
-        external
-        override
-        nonReentrant
-        auth(EXECUTE_PERMISSION_ID)
-        returns (bytes[] memory execResults, uint256 failureMap)
-    {
+    ) external override nonReentrant returns (bytes[] memory execResults, uint256 failureMap) {
         // Check that the action array length is within bounds.
         if (_actions.length > MAX_ACTIONS) {
             revert TooManyActions();
@@ -268,12 +262,49 @@ contract DAO is
         uint256 gasBefore;
         uint256 gasAfter;
 
+        bool hasExecutePermission = isGranted(
+            address(this),
+            msg.sender,
+            EXECUTE_PERMISSION_ID,
+            msg.data
+        );
+
+        for (uint256 i = 0; i < _actions.length; i++) { // TODO: Merge this loop with the below one.
+            Action calldata action = _actions[i];
+            bytes4 id = bytes4(action.data[:4]);
+            bytes32 permHash = permissionHash(action.to, id);
+            Permission storage targetPermission = permissions[permHash];
+
+            bool isAllowed = targetPermission.created
+                ? isGranted(action.to, msg.sender, id, action.data)
+                : hasExecutePermission;
+
+            if (!isAllowed) {
+                revert Unauthorized(action.to, msg.sender, permHash);
+            }
+        }
+
         for (uint256 i = 0; i < _actions.length; ) {
             gasBefore = gasleft();
+            bool success;
+            bytes memory data;
+
+            (success, data) = _actions[i].to.call{value: _actions[i].value}(_actions[i].data);
+
+            if (_actions[i].to == address(this)) {
+                if (!success) {
+                    bytes4 result;
+
+                    assembly {
+                        result := mload(add(data, 32))
+                    }
+
+                    if (result == Unauthorized.selector || result == UnauthorizedOwner.selector) {
+                        (success, data) = _actions[i].to.delegatecall(_actions[i].data);
+                    }
+                }
+            }
 
-            (bool success, bytes memory result) = _actions[i].to.call{value: _actions[i].value}(
-                _actions[i].data
-            );
             gasAfter = gasleft();
 
             // Check if failure is allowed
@@ -297,7 +328,7 @@ contract DAO is
                 }
             }
 
-            execResults[i] = result;
+            execResults[i] = data;
 
             unchecked {
                 ++i;