V1.4 of Fabric introduces the commercial-paper sample which is supposed to be the flagship sample showing Fabric development. I had a chance to study it today and I must say it is so ridiculous that I didn’t know whether to fall off my chair laughing or crying. Why do I say this? Because it uses the basic-network and the basic network consists of just one organization and an orderer! So how can commercial-sample achieve a network of six organizations as outlined in their scenario (magnetocorp, digibank, bigfund, …). Well it can’t.

WITSC02X6385JGH:commercial-paper sjain68$ diff organization/digibank/configuration/cli/docker-compose.yml organization/magnetocorp/configuration/cli/docker-compose.yml
14,15c14,15

< cliDigiBank:

< container_name: cliDigiBank

---

> cliMagnetoCorp:

> container_name: cliMagnetoCorp

31c31

< - ./../../../../organization/digibank:/opt/gopath/src/github.com/

---

> - ./../../../../organization/magnetocorp:/opt/gopath/src/github.com/

There is no difference in the identity between the DigiBank and MagnetoCorp containers! Both use the same identity in /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp

WITSC02X6385JGH:commercial-paper sjain68$ diff fabric-samples/commercial-paper/organization/digibank/application/addToWallet.js fabric-samples/commercial-paper/organization/magnetocorp/application/addToWallet.js
15c15

< const wallet = new FileSystemWallet('../identity/user/balaji/wallet');

---

> const wallet = new FileSystemWallet('../identity/user/isabella/wallet');

23,25c23,25

< const credPath = path.join(fixtures, '/crypto-config/peerOrganizations/org1.example.com/users/Admin@org1.example.com');

< const cert = fs.readFileSync(path.join(credPath, '/msp/signcerts/Admin@org1.example.com-cert.pem')).toString();

< const key = fs.readFileSync(path.join(credPath, '/msp/keystore/cd96d5260ad4757551ed4a5a991e62130f8008a0bf996e4e4b84cd097a747fec_sk')).toString();

---

> const credPath = path.join(fixtures, '/crypto-config/peerOrganizations/org1.example.com/users/User1@org1.example.com');

> const cert = fs.readFileSync(path.join(credPath, '/msp/signcerts/User1@org1.example.com-cert.pem')).toString();

> const key = fs.readFileSync(path.join(credPath, '/msp/keystore/c75bd6911aca808941c3557ee7c97e90f3952e379497dc55eb903f31b50abc83_sk')).toString();

28c28

< const identityLabel = 'Admin@org1.example.com';

---

> const identityLabel = 'User1@org1.example.com';

Both Isabella and Balaji belong to `Org1`. Isabella uses identity of a user and Balaji uses identity of an admin of Org1.

There are no peer nodes corresponding to Digibank and Magnetocorp. A user can make chaincode requests and declare any random organization they wish to impersonate. In `fabric-samples/commercial-paper/organization/digibank/contract/lib/papercontract.js`

async issue(ctx, issuer, paperNumber, issueDateTime, maturityDateTime, faceValue)

no check to even see if person making the request is same as the issuer i.e., Joe from XYZ Corp can make request and set issuer to ABC Corp

async buy(ctx, issuer, paperNumber, currentOwner, newOwner, price, purchaseDateTime)

again no check to verify credentials of person making this call. You can call this endpoint and transfer ownership of paper belonging to me (currentOwner) to yourself (newOwner) without my consent. How wonderful.