[Security] Only allow unlimited shop creation if player is allowed
authorGabriel Pérez-Cerezo <gabriel@gpcf.eu>
Fri, 6 Mar 2020 22:24:34 +0000 (23:24 +0100)
committerGabriel Pérez-Cerezo <gabriel@gpcf.eu>
Fri, 6 Mar 2020 22:24:34 +0000 (23:24 +0100)
The previous code assumed that the limit toggle button cannot be
pressed by non-creative players. However, this is easily possible with
a specially crafted client, that submits this field. The fix checks if
the player really has creative before switching a shop to unlimited
mode.

init.lua

index b54edc7..813ba6a 100644 (file)
--- a/init.lua
+++ b/init.lua
@@ -106,6 +106,9 @@ smartshop.send_mail=function(owner, pos, item)
    mail.send("DO NOT REPLY", owner, "Out of "..smartshop.get_human_name(item).." at "..spos, "Your smartshop at "..spos.." is out of "..smartshop.get_human_name(item)..". Please restock")
 end
 
+local function is_creative(pname)
+       return minetest.check_player_privs(pname, {creative=true}) or minetest.check_player_privs(pname, {give=true})
+end
 
 smartshop.receive_fields=function(player,pressed)
        local pname = player:get_player_name()
@@ -117,6 +120,12 @@ smartshop.receive_fields=function(player,pressed)
                        return smartshop.showform(pos, player, true)
                elseif pressed.tooglelime then
                        local meta=minetest.get_meta(pos)
+                       if not is_creative(pname) then
+                               meta:set_int("type", 1)
+                               meta:set_int("creative", 0)
+                               minetest.chat_send_player(pname, "You are not allowed to make a creative shop!")
+                               return
+                       end
                        if meta:get_int("type")==0 then
                                meta:set_int("type",1)
                                minetest.chat_send_player(pname, "Your stock is limited")
@@ -414,7 +423,7 @@ after_place_node = function(pos, placer)
                meta:set_string("owner",placer:get_player_name())
                meta:set_string("infotext", "Shop by: " .. placer:get_player_name())
                meta:set_int("type",1)
-               if minetest.check_player_privs(placer:get_player_name(), {creative=true}) or minetest.check_player_privs(placer:get_player_name(), {give=true}) then
+               if is_creative(placer:get_player_name()) then
                        meta:set_int("creative",1)
                        meta:set_int("type",0)
                end