Fabric permissions check against wrong command caller

Question

Fabric permissions check against wrong command caller

CreepyCre opened this issue a year ago · 0 comments

CreepyCre commented a year ago

Description

Luckperms on fabric checks permissions against the entity stored in the CommandSource, see here.
However, the assumption that the stored entity is the caller of the command is not generally correct, e.g. the execute command nodes seem to change out the entity if you use execute as.
What this boils down to for most use cases is the current implementation seems to prevent running a command with artificially elevated (or lowered) permissions.

I propose two possible solutions:

Check the permissions of the CommandOutput stored on the ServerCommandSource, provided it is a ServerPlayerEntity. This seems to align with the intended purpose, since CommandOutput is actually called CommandSource in mojmap.
Mixin into the ServerCommandSource#with[...] methods and store the original caller of the command where necessary. Then use this stored original caller to check permissions against.

See here (beware, this project uses mojmap) for an example of how a mod would try to run a command with elevated permissions with this issue interfering with the expected behaviour.

Reproduction Steps

n/a

Expected Behaviour

Permissions should be checked on original caller of command.

Server Details

Fabric 1.20.2

LuckPerms Version

5.4.110

Logs and Configs

No response

Extra Details