TokenTimelock release() should be restricted to beneficiary or delegate

[ddbit]

🎉 Description

• 🐛 This is a bug report.
• 📈 This is a feature request.

💻 Environment

Next, we need to know what your environment looks like.

• Which version of OpenZeppelin are you using?
  1.11
• What network are you deploying to? Ganache? Ropsten?
  Ganache
• How are you deploying your OpenZeppelin-backed contracts? truffle? Remix? Let us know!
  Truffle

📝 Details

Not exactly a bug, but I think it is a misuse of funds. At due time anyone can release the funds from the timelocked to the beneficiary even against the will of the latter.

openzeppelin-solidity/contracts/token/ERC20/TokenTimelock.sol

🔢 Code To Reproduce Issue [ Good To Have ]

This function

/**
   * @notice Transfers tokens held by timelock to beneficiary.
   */
  function release() public {
    // solium-disable-next-line security/no-block-members
    require(block.timestamp >= releaseTime);

    uint256 amount = token.balanceOf(this);
    require(amount > 0);

    token.safeTransfer(beneficiary, amount);
  }

Should be guarded with a:

require(msg.sender == beneficiary);

or with

require(msg.sender == beneficiary || msg.sender == <whitelisted guy>);

👍 Other Information

[nventuro]

This is related to #1132 - in this case, anyone (even a contract) can trigger the releasing of funds. I'm closing this issue and moving the conversation over to that issue, thanks @ddbit!