Fix vulnerability due to missing priv check
parent
d5c77d7042
commit
a6741081c9
|
@ -20,7 +20,8 @@ local function flatten_list(list, level, out)
|
|||
end
|
||||
|
||||
local function build_list()
|
||||
return flatten_list(land.get_area_tree())
|
||||
local tree = land.get_area_tree()
|
||||
return flatten_list(tree)
|
||||
end
|
||||
|
||||
|
||||
|
@ -137,4 +138,4 @@ land.show_debug_to = lib_quickfs.register("land:debug", function(self, playernam
|
|||
return true
|
||||
end
|
||||
end
|
||||
end)
|
||||
end, { land_admin = true })
|
||||
|
|
|
@ -1,21 +1,31 @@
|
|||
lib_quickfs = {}
|
||||
|
||||
function lib_quickfs.register(name, func, cb)
|
||||
function lib_quickfs.register(name, func, cb, privs)
|
||||
local player_contexts = {}
|
||||
|
||||
minetest.register_on_player_receive_fields(function(player, formname, fields)
|
||||
if formname == name then
|
||||
local playername = player:get_player_name()
|
||||
local context = player_contexts[playername]
|
||||
if formname ~= name then
|
||||
return
|
||||
end
|
||||
|
||||
if context and cb(context, player, formname, fields) then
|
||||
local formspec = func(context, playername)
|
||||
minetest.show_formspec(playername, name, formspec)
|
||||
end
|
||||
if privs and not minetest.check_player_privs(player, privs) then
|
||||
return
|
||||
end
|
||||
|
||||
local playername = player:get_player_name()
|
||||
local context = player_contexts[playername]
|
||||
|
||||
if context and cb(context, player, formname, fields) then
|
||||
local formspec = func(context, playername)
|
||||
minetest.show_formspec(playername, name, formspec)
|
||||
end
|
||||
end)
|
||||
|
||||
return function(playername, ...)
|
||||
if privs and not minetest.check_player_privs(playername, privs) then
|
||||
return
|
||||
end
|
||||
|
||||
local context = {
|
||||
playername = playername,
|
||||
args = { ... },
|
||||
|
|
Loading…
Reference in New Issue