Slimefun

Slimefun

3M Downloads

Non-admins can open and close settings to bypass admin-only cheatsheet.

AetherealPenguin opened this issue · 0 comments

commented

❗ Checklist

  • I am using the official english version of Slimefun and did not modify the jar.
  • I am using an up to date "DEV" (not "RC") version of Slimefun.
  • I am aware that issues related to Slimefun addons need to be reported on their bug trackers and not here.
  • I searched for similar open issues and could not find an existing bug report on this.

📍 Description

Problem: When players without admin perms use the "Cheatsheet" they are able to bypass the admin-only safety.

Definitions I'm using that may not be clear: "Cheatsheet" - The guide generated by using the command "/sf guide" and modifying the settings to cheat mode. Only possible by admins.

How to replicate: A player with normal permissions must hold a guide that an admin created using using "/sf guide" and changing the guide settings to cheat mode. Once ahold of the cheatsheet the player must open the guide, go into settings, and then close the settings. The player is now able to use the cheatsheet like an admin and spawn in any item they click on in the guide.

Temporary solution: I have banned the use of the physical cheatsheet.

📑 Reproduction Steps

  1. Admin runs command "/sf guide"
  2. Admin opens guide -> Clicks settings -> Clicks the left command that changes the book from guide to cheatsheet. The book will now run the command "/sf cheat" (This is expected behavior)
  3. Admin, for whatever ungodly reason, gives the cheatsheet to a player without admin permissions.
  4. Player opens guide -> opens settings -> closes settings.
  5. Player can now click any item in the cheatsheet and it will appear in their inventory similar to the admin use of the cheatsheet.

💡 Expected Behavior

When a player without admin permissions uses an admin-only guide an error message along the lines of "Only admins can use the cheatsheet!" appears.
Without this bug, when a player opens settings-> closes settings -> Uses the cheatsheet
The command would not run, and the player would get the error message.

📷 Screenshots / Videos

No response

📜 Server Log

If needed I can ask the server owner for the files altho he's hard to reach atm. Just ask me on the discord server Penguin#9016 and ill resubmit this when he's able to get them to me.

📂 /error-reports/ folder

No response

💻 Server Software

Paper

🎮 Minecraft Version

1.18.x

⭐ Slimefun version

Paper git-Paper-224 (MC: 1.18.2)
Slimefun DEV - 999 (git e02eedd)
Metrics-Module #28
Java 17

No Addons installed

🧭 Other plugins

No response