From eb2e5f4cdf2820a5bdf1a4f516bd9dcc8a2f2ce3 Mon Sep 17 00:00:00 2001 From: Blockhead Date: Sun, 28 Jun 2020 23:39:32 +1000 Subject: Fix access control to wagon properties Previously, players were able to open the wagon properties of any wagon at all through the wagon properties button on the inventory formspec and through the wagon buttons on the onboard computer. Add a check for ownership before allowing players to open wagon properties. --- advtrains/wagons.lua | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'advtrains/wagons.lua') diff --git a/advtrains/wagons.lua b/advtrains/wagons.lua index c44cd9c..2b0833d 100644 --- a/advtrains/wagons.lua +++ b/advtrains/wagons.lua @@ -921,7 +921,7 @@ function wagon:handle_bordcom_fields(pname, formname, fields) advtrains.safe_decouple_wagon(tpid, pname) elseif fields["wgprp"..i] then for _,wagon in pairs(minetest.luaentities) do - if wagon.is_wagon and wagon.initialized and wagon.id==tpid then + if wagon.is_wagon and wagon.initialized and wagon.id==tpid and data.owner==pname then wagon:show_wagon_properties(pname) return end @@ -1029,7 +1029,7 @@ minetest.register_on_player_receive_fields(function(player, formname, fields) local data = advtrains.wagons[uid] if fields.prop and data.owner==pname then for _,wagon in pairs(minetest.luaentities) do - if wagon.is_wagon and wagon.initialized and wagon.id==uid then + if wagon.is_wagon and wagon.initialized and wagon.id==uid and data.owner==pname then wagon:show_wagon_properties(pname) --wagon:handle_bordcom_fields(player:get_player_name(), formname, fields) end -- cgit v1.2.3