SendPlayerCapabilitiesPacket alters Capability API behavior, breaking consumer expectations and information exposure
pau101 opened this issue ยท 2 comments
Hello,
I am the developer for the mod Wings and I recently received a report of an Everlasting Abilities incompatibility. From looking into the issue I identified the culprit as the capability utilities provided by CyclopsCore. In particular SendPlayerCapabilitiesPacket which serializes the player's capabilities as designed for server-side storage and deserializes on the client.
The consequence of this is that erroneous behavior can be introduced to capability api consumers as this behavior is foreign to design. Moreover, potentially exploitable information is made available to malicious clients.
A change to the capability implementation used by Everlasting Abilities would need to just go so far as only manipulating capability instances it owns and not others.
You're right, SendPlayerCapabilitiesPacket
was originally supposed to be a temporary hack, but I never implemented a proper solution. I'll look into it.