From 41beb74ef7eab2a2c634cd2c23671807443788aa Mon Sep 17 00:00:00 2001
From: SmallJoker <mk939@ymail.com>
Date: Sun, 7 Mar 2021 10:04:07 +0100
Subject: Protect per-player detached inventory actions

---
 src/network/serverpackethandler.cpp | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

(limited to 'src/network')

diff --git a/src/network/serverpackethandler.cpp b/src/network/serverpackethandler.cpp
index ddc6f4e47..f1ed42302 100644
--- a/src/network/serverpackethandler.cpp
+++ b/src/network/serverpackethandler.cpp
@@ -626,7 +626,7 @@ void Server::handleCommand_InventoryAction(NetworkPacket* pkt)
 
 	const bool player_has_interact = checkPriv(player->getName(), "interact");
 
-	auto check_inv_access = [player, player_has_interact] (
+	auto check_inv_access = [player, player_has_interact, this] (
 			const InventoryLocation &loc) -> bool {
 		if (loc.type == InventoryLocation::CURRENT_PLAYER)
 			return false; // Only used internally on the client, never sent
@@ -634,6 +634,10 @@ void Server::handleCommand_InventoryAction(NetworkPacket* pkt)
 			// Allow access to own inventory in all cases
 			return loc.name == player->getName();
 		}
+		if (loc.type == InventoryLocation::DETACHED) {
+			if (!getInventoryMgr()->checkDetachedInventoryAccess(loc, player->getName()))
+				return false;
+		}
 
 		if (!player_has_interact) {
 			infostream << "Cannot modify foreign inventory: "
-- 
cgit v1.2.3