Skip to content

Commit

Permalink
admin2: security fixes
Browse files Browse the repository at this point in the history
  • Loading branch information
Dutchman101 committed Jun 20, 2024
1 parent 0dbb83d commit 8f9b2df
Show file tree
Hide file tree
Showing 4 changed files with 79 additions and 12 deletions.
8 changes: 4 additions & 4 deletions [admin]/admin2/conf/ACL.xml
Original file line number Diff line number Diff line change
Expand Up @@ -77,7 +77,7 @@
<right name="command.setfpskicker" access="true" />
<right name="command.setidlekicker" access="true" />
<right name="command.clearchat" access="true" />
<right name="command.setserverconf" access="true" />
<right name="command.setconfig" access="true" />
<!--Bans related-->
<right name="command.ban" access="true" />
<right name="command.unban" access="true" />
Expand Down Expand Up @@ -160,7 +160,7 @@
<right name="command.setfpskicker" access="false" />
<right name="command.setidlekicker" access="false" />
<right name="command.clearchat" access="true" />
<right name="command.setserverconf" access="false" />
<right name="command.setconfig" access="false" />
<!--Bans related-->
<right name="command.ban" access="true" />
<right name="command.unban" access="true" />
Expand Down Expand Up @@ -243,7 +243,7 @@
<right name="command.setfpskicker" access="false" />
<right name="command.setidlekicker" access="false" />
<right name="command.clearchat" access="true" />
<right name="command.setserverconf" access="false" />
<right name="command.setconfig" access="false" />
<!--Bans related-->
<right name="command.ban" access="false" />
<right name="command.unban" access="false" />
Expand Down Expand Up @@ -323,7 +323,7 @@
<right name="command.setfpskicker" access="false" />
<right name="command.setidlekicker" access="false" />
<right name="command.clearchat" access="false" />
<right name="command.setserverconf" access="false" />
<right name="command.setconfig" access="false" />
<!--Bans related-->
<right name="command.ban" access="false" />
<right name="command.unban" access="false" />
Expand Down
13 changes: 9 additions & 4 deletions [admin]/admin2/server/admin_ACL.lua
Original file line number Diff line number Diff line change
Expand Up @@ -252,12 +252,17 @@ local aACLFunctions = {
triggerClientEvent(client, EVENT_ACL, client, ACL_ACL, group, data)
end
}

addEvent(EVENT_ACL, true)
addEventHandler(
EVENT_ACL,
root,
addEventHandler(EVENT_ACL, root,
function(action, ...)
aACLFunctions[action](...)
if not hasObjectPermissionTo( client, "general.tab_acl" ) then
outputServerLog( ( "[ADMIN SECURITY]: Player %s [%s %s] attempted to tamper with server ACL without proper rights" ):format( client.name, client.ip, client.serial ) )
return
end
if action then
aACLFunctions[action](...)
end
end
)

Expand Down
6 changes: 3 additions & 3 deletions [admin]/admin2/server/admin_session.lua
Original file line number Diff line number Diff line change
Expand Up @@ -42,9 +42,9 @@ addEventHandler(
end
end
if (type == SESSION_UPDATE or type == SESSION_START) then
if (hasObjectPermissionTo(client, "general.adminpanel")) then
if (hasObjectPermissionTo(client or source, "general.adminpanel")) then
local tableOut = {}
local account = "user." .. getAccountName(getPlayerAccount(client))
local account = "user." .. getAccountName(getPlayerAccount(client or source))
for gi, group in ipairs(aclGroupList()) do
for oi, object in ipairs(aclGroupListObjects(group)) do
if ((object == account) or (object == "user.*")) then
Expand All @@ -61,7 +61,7 @@ addEventHandler(
end
end
end
triggerClientEvent(client, EVENT_SESSION, client, tableOut)
triggerClientEvent(client or source, EVENT_SESSION, client, tableOut)
end
end
end
Expand Down
64 changes: 63 additions & 1 deletion [admin]/admin2/server/admin_sync.lua
Original file line number Diff line number Diff line change
Expand Up @@ -7,17 +7,38 @@
* Original File by lil_Toady
*
**************************************]]

local function hasClientPermissionTo(strRight)
if client and not hasObjectPermissionTo(client, strRight) then
outputServerLog( ( "[ADMIN SECURITY]: Player %s [%s %s] attempted to perform admin data sync without proper rights (%s)" ):format( client.name, client.ip, client.serial, strRight ) )
return false
end
return true
end

addEvent(EVENT_SYNC, true)
addEventHandler(
EVENT_SYNC,
root,
function(type, data)

if not hasClientPermissionTo("general.adminpanel") then
return
end

local tableOut = {}
local theSource = root

if (type == SYNC_PLAYER) then

if (not isElement(data)) then
return
end

if not hasClientPermissionTo( "general.tab_players" ) then
return
end

aPlayers[client]["sync"] = data
tableOut["mute"] = isPlayerMuted(data)
tableOut["freeze"] = isElementFrozen(data)
Expand All @@ -33,6 +54,7 @@ addEventHandler(
end
tableOut["account"] = getAccountName(account)
theSource = data

elseif (type == SYNC_PLAYERS) then
for id, player in ipairs(getElementsByType("player")) do
tableOut[player] = {}
Expand All @@ -42,7 +64,13 @@ addEventHandler(
tableOut[player].country = aPlayers[player]["country"]
tableOut[player].countryname = aPlayers[player]["countryname"]
end

elseif (type == SYNC_PLAYERACL) then
-- Not called by client-side
if client then
return
end

local player = data
if isElement(player) then
theSource = player
Expand All @@ -57,7 +85,12 @@ addEventHandler(
end
end
end

elseif (type == SYNC_RESOURCES) then
if not hasClientPermissionTo("command.listresources") then
return
end

tableOut = {}
local resourceTable = getResources()
for id, resource in ipairs(resourceTable) do
Expand All @@ -69,7 +102,12 @@ addEventHandler(
end
table.insert(tableOut[group], {name = name, state = state})
end

elseif (type == SYNC_RESOURCE) then
if not hasClientPermissionTo("command.listresources") then
return
end

local resource = getResourceFromName(data)
tableOut.name = data
tableOut.info = {}
Expand All @@ -81,7 +119,12 @@ addEventHandler(
tableOut.info.description = getResourceInfo(resource, "description") or nil
tableOut.info.settings = getResourceSettings(data, false)
end

elseif (type == SYNC_ADMINS) then
if not hasClientPermissionTo("general.tab_adminchat") then
return
end

for id, player in ipairs(aPlayers) do
tableOut[player] = {}
tableOut[player]["admin"] = hasObjectPermissionTo(player, "general.adminpanel")
Expand All @@ -101,19 +144,38 @@ addEventHandler(
end
end
end

elseif (type == SYNC_SERVER) then
if not hasClientPermissionTo("general.tab_server") then
return
end

tableOut["name"] = getServerName()
tableOut["players"] = getMaxPlayers()
tableOut["game"] = getGameType()
tableOut["map"] = getMapName()
tableOut["password"] = getServerPassword()

elseif (type == SYNC_BAN) then
if client then
return
end
tableOut = data

elseif (type == SYNC_BANS) then
if not hasClientPermissionTo("general.tab_bans") then
return
end

for id, ban in pairs(getBansList()) do
tableOut[id] = getBanData(ban)
end

elseif (type == SYNC_MESSAGES) then
if not hasClientPermissionTo( "command.listmessages" ) then
return
end

local unread, total = 0, 0
for id, msg in ipairs(aReports) do
if (not msg.read) then
Expand All @@ -124,7 +186,7 @@ addEventHandler(
tableOut["unread"] = unread
tableOut["total"] = total
end
triggerClientEvent(client, EVENT_SYNC, theSource, type, tableOut)
triggerClientEvent(client or source, EVENT_SYNC, theSource, type, tableOut)
end
)

Expand Down

0 comments on commit 8f9b2df

Please sign in to comment.