Edit signs without interact priv?!?

User avatar
BBmine
Member
 
Posts: 3315
Joined: Sun Jul 12, 2015 22:51
Location: USA
GitHub: BBmine
IRC: BBmine
In-game: Baggins

Edit signs without interact priv?!?

by BBmine » Thu Feb 16, 2017 21:15

Hey, as default on my Hommies server, players do not have interact. The server is on minetesthosting.com and 0.4.14. Somebody WITHOUT interact privs edited different signs around spawn.

BTW, I thought I had posted this before, but either (A) I really didn't, (B) I did, but the forums have a bug, or (C) an admin/moderator deleted it. :P
God's not dead! -- Mods, Servers, My Youtube Channel My forum Good Music -- Never gonna give you up!!
 

User avatar
Naj
Member
 
Posts: 192
Joined: Sat Sep 19, 2015 21:14
Location: Paris
GitHub: pyrollo
In-game: naj

Re: Edit signs without interact priv?!?

by Naj » Fri Feb 17, 2017 09:00

BTW, I thought I had posted this before, but either (A) I really didn't, (B) I did, but the forums have a bug, or (C) an admin/moderator deleted it. :P


(D) Somebody WITHOUT interact privs edited your post
 

User avatar
addi
Member
 
Posts: 620
Joined: Thu Sep 20, 2012 03:16
Location: Black-Forest, Germany

Re: Edit signs without interact priv?!?

by addi » Fri Feb 17, 2017 09:39

hmm looks like that old bug is back: https://github.com/minetest/minetest_game/issues/210
Maybe in combination with a manipulated client
 

User avatar
sorcerykid
Member
 
Posts: 508
Joined: Fri Aug 26, 2016 15:36
Location: Illinois, USA
In-game: Nemo

Re: Edit signs without interact priv?!?

by sorcerykid » Fri Feb 17, 2017 13:25

Were the signs protected? Afaik, the formspects for default signs use client-side prediction. And validation of that form doesn't occur until submission. And at least in 0.4.14, there is no check for privileges only protection (see below). I imagine this bug also affects unlocked chests and bookshelves for the same reason.

Code: Select all
                on_receive_fields = function(pos, formname, fields, sender)
                        --print("Sign at "..minetest.pos_to_string(pos).." got "..dump(fields))
                        local player_name = sender:get_player_name()
                        if minetest.is_protected(pos, player_name) then
                                minetest.record_protection_violation(pos, player_name)
                                return
                        end
                        local meta = minetest.get_meta(pos)
                        if not fields.text then return end
                        minetest.log("action", (player_name or "") .. " wrote \"" ..
                                fields.text .. "\" to sign at " .. minetest.pos_to_string(pos))
                        meta:set_string("text", fields.text)
                        meta:set_string("infotext", '"' .. fields.text .. '"')
                end,
 

User avatar
BBmine
Member
 
Posts: 3315
Joined: Sun Jul 12, 2015 22:51
Location: USA
GitHub: BBmine
IRC: BBmine
In-game: Baggins

Re: Edit signs without interact priv?!?

by BBmine » Fri Feb 17, 2017 13:46

sorcerykid wrote:Were the signs protected? Afaik, the formspects for default signs use client-side prediction. And validation of that form doesn't occur until submission. And at least in 0.4.14, there is no check for privileges only protection (see below). I imagine this bug also affects unlocked chests and bookshelves for the same reason.

Code: Select all
                on_receive_fields = function(pos, formname, fields, sender)
                        --print("Sign at "..minetest.pos_to_string(pos).." got "..dump(fields))
                        local player_name = sender:get_player_name()
                        if minetest.is_protected(pos, player_name) then
                                minetest.record_protection_violation(pos, player_name)
                                return
                        end
                        local meta = minetest.get_meta(pos)
                        if not fields.text then return end
                        minetest.log("action", (player_name or "") .. " wrote \"" ..
                                fields.text .. "\" to sign at " .. minetest.pos_to_string(pos))
                        meta:set_string("text", fields.text)
                        meta:set_string("infotext", '"' .. fields.text .. '"')
                end,

It was not protected because I use the free version of that hosting service, which only includes vanilla and external_cmd. Maybe I should stop having my furnaces stuffed......

Oh also, I tried banning the guy who did that, but because he was not online at the time, it wouldn't ban him >:(
God's not dead! -- Mods, Servers, My Youtube Channel My forum Good Music -- Never gonna give you up!!
 

User avatar
BBmine
Member
 
Posts: 3315
Joined: Sun Jul 12, 2015 22:51
Location: USA
GitHub: BBmine
IRC: BBmine
In-game: Baggins

Re: Edit signs without interact priv?!?

by BBmine » Fri Feb 17, 2017 13:56

I just did a test with a client that has no interact privs. I can't even right-click on anything. Not even signs. So either that player was cheating, or he had an old, dumb client. The trick is how to ban him. :P
God's not dead! -- Mods, Servers, My Youtube Channel My forum Good Music -- Never gonna give you up!!
 

User avatar
sorcerykid
Member
 
Posts: 508
Joined: Fri Aug 26, 2016 15:36
Location: Illinois, USA
In-game: Nemo

Re: Edit signs without interact priv?!?

by sorcerykid » Fri Feb 17, 2017 16:24

Thanks for the heads up. It looks like right-clicking is indeed disabled once interact is revoked. That is very good to know.
 

User avatar
BBmine
Member
 
Posts: 3315
Joined: Sun Jul 12, 2015 22:51
Location: USA
GitHub: BBmine
IRC: BBmine
In-game: Baggins

Re: Edit signs without interact priv?!?

by BBmine » Sat Feb 18, 2017 01:13

Oh, if you want to test it with different clients, the server is: minetesthosting.com PORT: 30352 :)

You will have no interact by default, unless I already granted you interact, in which case, create another account.
God's not dead! -- Mods, Servers, My Youtube Channel My forum Good Music -- Never gonna give you up!!
 


Return to Bugs and Problems



Who is online

Users browsing this forum: No registered users and 3 guests