Edit signs without interact priv?!?

BBmine
Member
 
Posts: 1425
Joined: Sun Jul 12, 2015 22:51
Location: United States of Trumpland
GitHub: BBmine
IRC: BBmine
In-game: Baggins

Edit signs without interact priv?!?

by BBmine » Thu Feb 16, 2017 21:15

Hey, as default on my Hommies server, players do not have interact. The server is on minetesthosting.com and 0.4.14. Somebody WITHOUT interact privs edited different signs around spawn.

BTW, I thought I had posted this before, but either (A) I really didn't, (B) I did, but the forums have a bug, or (C) an admin/moderator deleted it. :P
God's not dead!
I actually did mine walls before I started playing this game....
Mods, Servers, and My Youtube Channel
Let us remember Just Test on April 16.
"Together, we will make America great again!" --President Trump
Please vote for the next video I should do here
I'm the most rottenist potato in the fridge.
Copyright (c) 2017 Baggins Inc. (tm) All rights reserved.
 

User avatar
Naj
Member
 
Posts: 170
Joined: Sat Sep 19, 2015 21:14
Location: Paris
GitHub: pyrollo
In-game: naj

Re: Edit signs without interact priv?!?

by Naj » Fri Feb 17, 2017 09:00

BTW, I thought I had posted this before, but either (A) I really didn't, (B) I did, but the forums have a bug, or (C) an admin/moderator deleted it. :P


(D) Somebody WITHOUT interact privs edited your post
 

User avatar
addi
Member
 
Posts: 605
Joined: Thu Sep 20, 2012 03:16
Location: Black-Forest, Germany

Re: Edit signs without interact priv?!?

by addi » Fri Feb 17, 2017 09:39

hmm looks like that old bug is back: https://github.com/minetest/minetest_game/issues/210
Maybe in combination with a manipulated client
 

User avatar
sorcerykid
Member
 
Posts: 209
Joined: Fri Aug 26, 2016 15:36
Location: Illinois, USA
In-game: Nemo

Re: Edit signs without interact priv?!?

by sorcerykid » Fri Feb 17, 2017 13:25

Were the signs protected? Afaik, the formspects for default signs use client-side prediction. And validation of that form doesn't occur until submission. And at least in 0.4.14, there is no check for privileges only protection (see below). I imagine this bug also affects unlocked chests and bookshelves for the same reason.

Code: Select all
                on_receive_fields = function(pos, formname, fields, sender)
                        --print("Sign at "..minetest.pos_to_string(pos).." got "..dump(fields))
                        local player_name = sender:get_player_name()
                        if minetest.is_protected(pos, player_name) then
                                minetest.record_protection_violation(pos, player_name)
                                return
                        end
                        local meta = minetest.get_meta(pos)
                        if not fields.text then return end
                        minetest.log("action", (player_name or "") .. " wrote \"" ..
                                fields.text .. "\" to sign at " .. minetest.pos_to_string(pos))
                        meta:set_string("text", fields.text)
                        meta:set_string("infotext", '"' .. fields.text .. '"')
                end,
 

BBmine
Member
 
Posts: 1425
Joined: Sun Jul 12, 2015 22:51
Location: United States of Trumpland
GitHub: BBmine
IRC: BBmine
In-game: Baggins

Re: Edit signs without interact priv?!?

by BBmine » Fri Feb 17, 2017 13:46

sorcerykid wrote:Were the signs protected? Afaik, the formspects for default signs use client-side prediction. And validation of that form doesn't occur until submission. And at least in 0.4.14, there is no check for privileges only protection (see below). I imagine this bug also affects unlocked chests and bookshelves for the same reason.

Code: Select all
                on_receive_fields = function(pos, formname, fields, sender)
                        --print("Sign at "..minetest.pos_to_string(pos).." got "..dump(fields))
                        local player_name = sender:get_player_name()
                        if minetest.is_protected(pos, player_name) then
                                minetest.record_protection_violation(pos, player_name)
                                return
                        end
                        local meta = minetest.get_meta(pos)
                        if not fields.text then return end
                        minetest.log("action", (player_name or "") .. " wrote \"" ..
                                fields.text .. "\" to sign at " .. minetest.pos_to_string(pos))
                        meta:set_string("text", fields.text)
                        meta:set_string("infotext", '"' .. fields.text .. '"')
                end,

It was not protected because I use the free version of that hosting service, which only includes vanilla and external_cmd. Maybe I should stop having my furnaces stuffed......

Oh also, I tried banning the guy who did that, but because he was not online at the time, it wouldn't ban him >:(
God's not dead!
I actually did mine walls before I started playing this game....
Mods, Servers, and My Youtube Channel
Let us remember Just Test on April 16.
"Together, we will make America great again!" --President Trump
Please vote for the next video I should do here
I'm the most rottenist potato in the fridge.
Copyright (c) 2017 Baggins Inc. (tm) All rights reserved.
 

BBmine
Member
 
Posts: 1425
Joined: Sun Jul 12, 2015 22:51
Location: United States of Trumpland
GitHub: BBmine
IRC: BBmine
In-game: Baggins

Re: Edit signs without interact priv?!?

by BBmine » Fri Feb 17, 2017 13:56

I just did a test with a client that has no interact privs. I can't even right-click on anything. Not even signs. So either that player was cheating, or he had an old, dumb client. The trick is how to ban him. :P
God's not dead!
I actually did mine walls before I started playing this game....
Mods, Servers, and My Youtube Channel
Let us remember Just Test on April 16.
"Together, we will make America great again!" --President Trump
Please vote for the next video I should do here
I'm the most rottenist potato in the fridge.
Copyright (c) 2017 Baggins Inc. (tm) All rights reserved.
 

User avatar
sorcerykid
Member
 
Posts: 209
Joined: Fri Aug 26, 2016 15:36
Location: Illinois, USA
In-game: Nemo

Re: Edit signs without interact priv?!?

by sorcerykid » Fri Feb 17, 2017 16:24

Thanks for the heads up. It looks like right-clicking is indeed disabled once interact is revoked. That is very good to know.
 

BBmine
Member
 
Posts: 1425
Joined: Sun Jul 12, 2015 22:51
Location: United States of Trumpland
GitHub: BBmine
IRC: BBmine
In-game: Baggins

Re: Edit signs without interact priv?!?

by BBmine » Sat Feb 18, 2017 01:13

Oh, if you want to test it with different clients, the server is: minetesthosting.com PORT: 30352 :)

You will have no interact by default, unless I already granted you interact, in which case, create another account.
God's not dead!
I actually did mine walls before I started playing this game....
Mods, Servers, and My Youtube Channel
Let us remember Just Test on April 16.
"Together, we will make America great again!" --President Trump
Please vote for the next video I should do here
I'm the most rottenist potato in the fridge.
Copyright (c) 2017 Baggins Inc. (tm) All rights reserved.
 


Return to Bugs and Problems

Who is online

Users browsing this forum: BlueTangs Rock and 3 guests