TARDIS

A server owner in Discord today reported that players on their server seem to be able to spawn TWA mobs without any permissions. Having looked at the code and plugin.yml, I believe this is due to a bug with the way permissions are checked.

In plugin.yml, the permission tardisweepingangels.spawn defaults to OP and claims to allow players to spawn TWA monsters. It has several children for each individual TWA monster, which all default to true:

TARDIS/Core/src/main/resources/plugin.yml

Lines 704 to 729 in 19e7e4e

    
           tardisweepingangels.spawn: 
        
             description: Allow players to spawn a monster. 
        
             default: op 
        
             children: 
        
               tardisweepingangels.spawn.angel: true 
        
               tardisweepingangels.spawn.cyberman: true 
        
               tardisweepingangels.spawn.dalek: true 
        
               tardisweepingangels.spawn.dalek_sec: true 
        
               tardisweepingangels.spawn.davros: true 
        
               tardisweepingangels.spawn.empty: true 
        
               tardisweepingangels.spawn.ice: true 
        
               tardisweepingangels.spawn.judoon: true 
        
               tardisweepingangels.spawn.k9: true 
        
               tardisweepingangels.spawn.mire: true 
        
               tardisweepingangels.spawn.monk: true 
        
               tardisweepingangels.spawn.ood: true 
        
               tardisweepingangels.spawn.racnoss: true 
        
               tardisweepingangels.spawn.sea_devil: true 
        
               tardisweepingangels.spawn.silent: true 
        
               tardisweepingangels.spawn.silurian: true 
        
               tardisweepingangels.spawn.slitheen: true 
        
               tardisweepingangels.spawn.sontaran: true 
        
               tardisweepingangels.spawn.strax: true 
        
               tardisweepingangels.spawn.toclafane: true 
        
               tardisweepingangels.spawn.vashta: true 
        
               tardisweepingangels.spawn.zygon: true

The issue is that the command handler code never checks the base permission node and only checks the permission node for the specific monster called in the command. Since each monster permission defaults to true, this results in all players being able to spawn TWA monsters by default:

TARDIS/Core/src/main/java/me/eccentric_nz/tardisweepingangels/commands/SpawnCommand.java

Lines 76 to 81 in 19e7e4e

    
           if (sender instanceof Player player) { 
        
               // check player has permission for this monster 
        
               if (!TARDISPermission.hasPermission(player, "tardisweepingangels.spawn." + monster.getPermission())) { 
        
                   plugin.getMessenger().send(sender, TardisModule.MONSTERS, "WA_PERM_SPAWN", monster.toString()); 
        
                   return true; 
        
               }

Suggested fix: Check the base permission tardisweepingangels.spawn in the command handler as well as the monster-specific permission.

It looks like the original reporter was mistaken and can't actually spawn monsters. Closing as invalid. Apologies.

If I'm de-opped I can't spawn TWA monsters...

	tardisweepingangels.spawn:
	description: Allow players to spawn a monster.
	default: op
	children:
	tardisweepingangels.spawn.angel: true
	tardisweepingangels.spawn.cyberman: true
	tardisweepingangels.spawn.dalek: true
	tardisweepingangels.spawn.dalek_sec: true
	tardisweepingangels.spawn.davros: true
	tardisweepingangels.spawn.empty: true
	tardisweepingangels.spawn.ice: true
	tardisweepingangels.spawn.judoon: true
	tardisweepingangels.spawn.k9: true
	tardisweepingangels.spawn.mire: true
	tardisweepingangels.spawn.monk: true
	tardisweepingangels.spawn.ood: true
	tardisweepingangels.spawn.racnoss: true
	tardisweepingangels.spawn.sea_devil: true
	tardisweepingangels.spawn.silent: true
	tardisweepingangels.spawn.silurian: true
	tardisweepingangels.spawn.slitheen: true
	tardisweepingangels.spawn.sontaran: true
	tardisweepingangels.spawn.strax: true
	tardisweepingangels.spawn.toclafane: true
	tardisweepingangels.spawn.vashta: true
	tardisweepingangels.spawn.zygon: true

	if (sender instanceof Player player) {
	// check player has permission for this monster
	if (!TARDISPermission.hasPermission(player, "tardisweepingangels.spawn." + monster.getPermission())) {
	plugin.getMessenger().send(sender, TardisModule.MONSTERS, "WA_PERM_SPAWN", monster.toString());
	return true;
	}

Share to