DANGEROUS bug! "/ps take" can be abused by players allowed in a field!
spetznack opened this issue ยท 2 comments
Players can use "/ps take" on any field the player is allowed in, even when the player is not the owner of the field! Only permission required is "preciousstones.benefit.*"!
This is not logged anywhere and can be very hardly abused once people knows about it! :(
Confirmed using a clean installment with:
Permissionsbukkit - version 2.0
PreciousStones - #366 (Jan 18, 2014 9:04:50 AM)
Spigot - #1316 (Wed Feb 12 15:49:41 EST 2014)
I could not replicate this with Build #369 (Feb 1, 2014 5:11:47 PM) , but with that build I can't modify fields using the ps tool (default diamondpick I believe) which I guess is another bug report I should write?
This is still a issue, maybe this update have something to do with it?:
http://sacredlabyrinth.net:8080/job/PreciousStones/356/
If I had the setup to test if the bug was introduced in this update --> I would.. But I can't :/