LuckPerms

LuckPerms

905k Downloads

Hide tab-complete commands

NotStarRift opened this issue ยท 13 comments

commented

Description

Players are able to see a full list of plugins by typing "/" in the chat window. There are other plugins out there that hide this feature, but I believe the LuckPerms resource by itself has the capacity to do this down to the permissions level.

Proposed behaviour

Players ought not to be able to see command help for plugins and features they don't have access to. This could potentially present security risks to the server since hackers could find out what plugins we use. I also feel it'd be more professional to only display auto-complete help for commands relevant to players. The ability to curate auto-complete command help to individual players would a great addition to LuckPerms.

commented

Forgot how but I managed to do just this with a few lines of code. It generated a list of permission nodes that you'd assign commands to in a yaml to associate with commands. Then those very commands override the default chat complete for players, depending on what permission nodes they had access to. I grouped them in lists for my rank ladder

commented

https://prnt.sc/w6s52e
Here's an example of the present issue. With default rank, players can see the commands for worldedit tasks, without the permissions to run them.

commented

LuckPerms doesn't control which commands are sent to clients; if the other plugin registers its commands and permissions properly, just denying the permission will suffice, if not you should seek that plugin's support.

commented

LuckPerms doesn't control which commands are sent to clients; if the other plugin registers its commands and permissions properly, just denying the permission will suffice, if not you should seek that plugin's support.

In most scenarios, denying the permission doesn't suffice for the security of production servers. Why? Because players can still see your plugin commands despite the permission being revoked, providing a way for current vulnerabilities or exploits to be exposed. There are plugins out there that allow you to customize what you can and can't show after typing a forward slash in chat based on a list in the configurations file. I'm suggesting LuckPerms implements a feature similar to this that can show and hide chat tabbing based on individual user's permissions as opposed to the previously mentioned blanket solution of blocking the feature for all users.

commented

Please re-read the very first sentence of my comment:

LuckPerms doesn't control which commands are sent to clients;

That is completely controlled by the server implementation and again, if the plugin in question registers its commands properly it should not pop up. LuckPerms is a permissions manager and a tree calculator, not a command and suggestions blocker. There are plugins that are made for that purpose but LuckPerms is not one of them.

commented

Please re-read the very first sentence of my comment:

LuckPerms doesn't control which commands are sent to clients;

I understood what you said the first couple times. This is a feature suggestion to to have luckperms control PlayerChatTabCompleteEvent for individual users which is also something I'm fully aware luckperms doesn't control.

That is completely controlled by the server implementation

Not quite. You have the option in spigot/bukkit to disable it entirely which defeats the purpose of my suggestion. I'm suggesting luckperms should regard the commands assigned to permission nodes and have it influence auto complete based on individual user permissions.

if the plugin in question registers its commands properly it should not pop up.

Not sure how your setup is, but that isn't the case given commands which players don't have access to still show up in auto complete on a fresh install of spigot and luckperms. And there are only half-working outdated plugins on spigot that don't even accomplish this for 1.16.

commented

One thing you seem to not get is that permissions and commands are entirely unrelated, LuckPerms controls permissions, not commands. Is that so hard to comprehend?

If my plugin has 2 commands and one permission for only one of them, no matter how many permissions you set to false the other command will still show. This is the case of those specific WorldEdit commands that always show up.

Not only that but there can be permissions that are not attached to any commands too, but rather actions.

commented

One thing you seem to not get is that permissions and commands are entirely unrelated, LuckPerms controls permissions, not commands. Is that so hard to comprehend?

If my plugin has 2 commands and one permission for only one of them, no matter how many permissions you set to false the other command will still show. This is the case of those specific WorldEdit commands that always show up.

Not only that but there can be permissions that are not attached to any commands too, but rather actions.

No, you're failing to understand what I'm saying and being incredibly condescending about it.
I also know how plugins and permissions work. Apparently you don't if you really believe there aren't ways to find out what commands belong to what permission and vice versa. It also wouldn't be very difficult to make a listener for it. I'm suggesting LuckPerms could have this feature implemented and make good use of it - such as define what is shown after "/" to individual users by defining the commands based on a permission. Something that can be done with a listener and am going to clarify for one last time that I am aware doesn't currently exist in LuckPerms.

commented

This is already handled at the platform level, Luckperms has no reason to involve itself except to further complicate things. Plugins are responsible for declaring things in such a way that the platform can properly handle tab completes.

commented

Made my own plugin that hooks into LuckPerms and accomplishes this.

commented

@NotStarRift I am also looking for a solution to this problem. Have you considered publishing the plugin you wrote on a platform? I've looked but cannot seem to find it.

commented

I found an interesting subreddit post where someone posted a solution to this problem: use the PlayerCommandSendEvent to remove commands that would otherwise be sent to the player by other plugins. I was able to confirm that this is possible. Even some minecraft commands are sent regardless of user permissions. You can set the tab-complete config setting in the spigot.yml file to -1 which entirely prevents the TabCompleter for all plugins, but that is not a solution for me because I want my commands to have tab completion.

commented

I agree with @emilyy-dev and @underscore11code that LuckPerms has no reason to involve itself in this, as it is the plugin's responsibility to manage tab completion (in this case the developers of WorldEdit, one of the best plugins ever) for not using permissions to limit tab completer functionality. To that point, almost no other plugins seem to be doing this either. Essentials is the only plugin I have found so far that respects permissions in regards to tab completion. It is certainly not standard in the community. But it's cool that you made a plugin to solve this problem @NotStarRift ! I am having the same issue, and it is very frustrating. Can you provide a link to your plugin? I am curious what you did. ๐Ÿ˜„