forked from Mirrorlandia_minetest/minetest
Protect per-player detached inventory actions
This commit is contained in:
parent
67be50b706
commit
41beb74ef7
@ -626,7 +626,7 @@ void Server::handleCommand_InventoryAction(NetworkPacket* pkt)
|
|||||||
|
|
||||||
const bool player_has_interact = checkPriv(player->getName(), "interact");
|
const bool player_has_interact = checkPriv(player->getName(), "interact");
|
||||||
|
|
||||||
auto check_inv_access = [player, player_has_interact] (
|
auto check_inv_access = [player, player_has_interact, this] (
|
||||||
const InventoryLocation &loc) -> bool {
|
const InventoryLocation &loc) -> bool {
|
||||||
if (loc.type == InventoryLocation::CURRENT_PLAYER)
|
if (loc.type == InventoryLocation::CURRENT_PLAYER)
|
||||||
return false; // Only used internally on the client, never sent
|
return false; // Only used internally on the client, never sent
|
||||||
@ -634,6 +634,10 @@ void Server::handleCommand_InventoryAction(NetworkPacket* pkt)
|
|||||||
// Allow access to own inventory in all cases
|
// Allow access to own inventory in all cases
|
||||||
return loc.name == player->getName();
|
return loc.name == player->getName();
|
||||||
}
|
}
|
||||||
|
if (loc.type == InventoryLocation::DETACHED) {
|
||||||
|
if (!getInventoryMgr()->checkDetachedInventoryAccess(loc, player->getName()))
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
if (!player_has_interact) {
|
if (!player_has_interact) {
|
||||||
infostream << "Cannot modify foreign inventory: "
|
infostream << "Cannot modify foreign inventory: "
|
||||||
|
@ -168,6 +168,18 @@ bool ServerInventoryManager::removeDetachedInventory(const std::string &name)
|
|||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
bool ServerInventoryManager::checkDetachedInventoryAccess(
|
||||||
|
const InventoryLocation &loc, const std::string &player) const
|
||||||
|
{
|
||||||
|
SANITY_CHECK(loc.type == InventoryLocation::DETACHED);
|
||||||
|
|
||||||
|
const auto &inv_it = m_detached_inventories.find(loc.name);
|
||||||
|
if (inv_it == m_detached_inventories.end())
|
||||||
|
return false;
|
||||||
|
|
||||||
|
return inv_it->second.owner.empty() || inv_it->second.owner == player;
|
||||||
|
}
|
||||||
|
|
||||||
void ServerInventoryManager::sendDetachedInventories(const std::string &peer_name,
|
void ServerInventoryManager::sendDetachedInventories(const std::string &peer_name,
|
||||||
bool incremental,
|
bool incremental,
|
||||||
std::function<void(const std::string &, Inventory *)> apply_cb)
|
std::function<void(const std::string &, Inventory *)> apply_cb)
|
||||||
|
@ -43,6 +43,7 @@ public:
|
|||||||
Inventory *createDetachedInventory(const std::string &name, IItemDefManager *idef,
|
Inventory *createDetachedInventory(const std::string &name, IItemDefManager *idef,
|
||||||
const std::string &player = "");
|
const std::string &player = "");
|
||||||
bool removeDetachedInventory(const std::string &name);
|
bool removeDetachedInventory(const std::string &name);
|
||||||
|
bool checkDetachedInventoryAccess(const InventoryLocation &loc, const std::string &player) const;
|
||||||
|
|
||||||
void sendDetachedInventories(const std::string &peer_name, bool incremental,
|
void sendDetachedInventories(const std::string &peer_name, bool incremental,
|
||||||
std::function<void(const std::string &, Inventory *)> apply_cb);
|
std::function<void(const std::string &, Inventory *)> apply_cb);
|
||||||
|
Loading…
Reference in New Issue
Block a user