Type of bug

Data loss, Exploit

/ess dump all output

https://essentialsx.net/dump.html?id=366a9d2a01244f09ba4d7bfe6c531af7

Error log (if applicable)

No response

Bug description

If a [Trade] sign created on version before 2.19.3-dev+19 is loaded on 2.19.3-dev+19 or newer, EssentialsX will try to migrate the sign to store the owner in NBT rather than relying on the username on the sign. Due to an oversight in #4713, the owner in NBT is always changed to the first person to right-click the sign after an update, without verifying that the user is actually the owner. Any subsequent attempts to use the sign will then change the username displayed on the sign, irreversibly changing the sign's owner.

Steps to reproduce

With two players, A and B:

1. As player A, create a [Trade] sign on 2.19.3-dev+18 or older
2. On 2.19.3-dev+19 or newer (including 2.19.3 release), right-click the sign as player B (doesn't need to be anything in stock)
3. Pick the sign with NBT (Ctrl+MMB) and then inspect the BlockEntityTag.PublicBukkitValues["essentials:owner"] tag.
4. As player A, right-click the sign again and observe the username on the sign.

Expected behaviour

3. The owner tag should be that of player A or should not exist until player A themselves uses the sign.
4. The username should not change to another players' username.

Actual behaviour

3. The owner UUID in the sign's NBT is set to that of player B, not player A
4. The username changes to that of player B. There is now no trace of player A ever owning the sign.
   • The username should only change if player A changes their username and logs back in.

NBT after right-clicking a sign created by mdcfe2 twice:

Notice the username is now MD678685 and the UUID belongs to that player too.