From 83060e9e85be790f64fcf51def1f024699a46d2d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gabriel=20P=C3=A9rez-Cerezo?= Date: Fri, 6 Mar 2020 23:24:34 +0100 Subject: [Security] Only allow unlimited shop creation if player is allowed The previous code assumed that the limit toggle button cannot be pressed by non-creative players. However, this is easily possible with a specially crafted client, that submits this field. The fix checks if the player really has creative before switching a shop to unlimited mode. --- init.lua | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/init.lua b/init.lua index b54edc7..813ba6a 100644 --- a/init.lua +++ b/init.lua @@ -106,6 +106,9 @@ smartshop.send_mail=function(owner, pos, item) mail.send("DO NOT REPLY", owner, "Out of "..smartshop.get_human_name(item).." at "..spos, "Your smartshop at "..spos.." is out of "..smartshop.get_human_name(item)..". Please restock") end +local function is_creative(pname) + return minetest.check_player_privs(pname, {creative=true}) or minetest.check_player_privs(pname, {give=true}) +end smartshop.receive_fields=function(player,pressed) local pname = player:get_player_name() @@ -117,6 +120,12 @@ smartshop.receive_fields=function(player,pressed) return smartshop.showform(pos, player, true) elseif pressed.tooglelime then local meta=minetest.get_meta(pos) + if not is_creative(pname) then + meta:set_int("type", 1) + meta:set_int("creative", 0) + minetest.chat_send_player(pname, "You are not allowed to make a creative shop!") + return + end if meta:get_int("type")==0 then meta:set_int("type",1) minetest.chat_send_player(pname, "Your stock is limited") @@ -414,7 +423,7 @@ after_place_node = function(pos, placer) meta:set_string("owner",placer:get_player_name()) meta:set_string("infotext", "Shop by: " .. placer:get_player_name()) meta:set_int("type",1) - if minetest.check_player_privs(placer:get_player_name(), {creative=true}) or minetest.check_player_privs(placer:get_player_name(), {give=true}) then + if is_creative(placer:get_player_name()) then meta:set_int("creative",1) meta:set_int("type",0) end -- cgit v1.2.3