Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Revoked privileges cause problems with privilege-dependent items #1

Open
SwissalpS opened this issue Jun 23, 2023 · 4 comments
Open

Revoked privileges cause problems with privilege-dependent items #1

SwissalpS opened this issue Jun 23, 2023 · 4 comments
Labels
bug Something isn't working

Comments

@SwissalpS
Copy link

see: pandorabox-io/in-game#324

in a nutshell: some items are priv dependant and get removed during login as privs are revoked.
@S-S-X
Copy link
Member

S-S-X commented Jun 23, 2023

To reduce significantly what can be done while still having privileges could be:

  1. revoke just interact, keep all other privileges.
  2. override chat command handler to do simple player name check, if player is in middle of otp authentication just cancel all commands (or possibly just allow few whitelisted commands).

That should keep it compatible with almost everything as it does not need mod / command / thing specific overrides and will keep privileges but instead directly removes actual functionality until auth is done.

Freezing player / protecting player in addition to this will be useful too. One bit complicated but fool proof mechanism would be single safe protected location in map where players would be teleported on login and teleported back to original position immediately after auth is done.
Complicated because it involves actual protected in world location, kind of like what those jail mods offer.

@BuckarooBanzay
Copy link
Member

BuckarooBanzay commented Jun 23, 2023
edited
Loading

revoke just interact, keep all other privileges.

you could still execute malicious chat-commands that way :/ (//lua comes to mind)

in a nutshell: some items are priv dependant and get removed during login as privs are revoked.

my proposal (because the moderator-armor does the drop-action) would be to add an api to the otp mod and let
the moderator_armor fetch the revoked privs of the player if they are in an otp session

@BuckarooBanzay BuckarooBanzay added enhancement New feature or request bug Something isn't working and removed enhancement New feature or request labels Jun 23, 2023
@S-S-X
Copy link
Member

S-S-X commented Jun 23, 2023
edited
Loading

you could still execute malicious chat-commands that way :/ (//lua comes to mind)

You probably missed my proposal to override all chat command handlers and disable every chat command directly?

So you could run any chat command but every command would return say Chat commands are disabled until authentication is completed. Not 100% sure about this but It should be as simple as swapping first core.registered_on_chat_messages to handler that checks if player has entered otp or not and cancels real first handler returning error message.

I'm pretty sure it is single entry point for every possible chat input unless if there is some very special commands implemented in engine c++ core, not aware of any such thing.

@OgelGames OgelGames changed the title freeze and protect player until token entered Revoked privileges cause problems with privilege-dependent items Jun 24, 2023
@BuckarooBanzay
Copy link
Member

You probably missed my proposal to override all chat command handlers and disable every chat command directly?

yeah, i was in a hurry and missed that part, sorry. This does make sense 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@SwissalpS @BuckarooBanzay @S-S-X