Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vanished players are exposed by ban and expel commands #1573

Closed
piotrskibapl opened this issue Nov 12, 2020 · 5 comments
Closed

Vanished players are exposed by ban and expel commands #1573

piotrskibapl opened this issue Nov 12, 2020 · 5 comments
Assignees
@tastybento
Labels
Status: Under investigation Investigating the interest and the feasability of the issue. Type: Bug

Comments

@piotrskibapl
Copy link

Description

Describe the bug

By using "is ban" and "is expel" commands, it's possible to check whether a player is online and vanished on the server.

Steps to reproduce the behavior

  1. Log in on the server using an account without admin/vanish access
  2. Try to ban or expel an offline admin
    Observed:
  • when using the ban command, the admin is successfully banned
  • when using the expel command, there's a message "That player is offline or doesn't exist"
  1. Unban the admin, join the server from his account and enable vanish
  2. Try to ban or expel the admin again
    Observed:
  • when using the ban command, there's a message "That player cannot be banned."
  • when using the expel command, there's a message "That player is not on your island!"

Expected behavior

For both commands, the command output message should be changed to be consistent no matter if the admin is online or not.

Environment

Output of /bbox version (Mandatory)
Running Paper 1.15.2
BentoBox version: 1.15.2 (build #1909)
Database: JSON
Loaded Game Worlds:
acid (Acid): World, Nether, The End
Loaded addons:
AcidIsland 1.14.3 (ENABLED)
Challenges 0.8.3 (ENABLED)
ControlPanel 1.7.0 (ENABLED)
DimensionalTrees 1.6.0 (ENABLED)
Level 2.4.1 (ENABLED)
Limits 1.14.0 (ENABLED)
Warps 1.10.1-SNAPSHOT-b266 (ENABLED)

Additional context (Optional)

I thought that this issue was reported here before, but I can't find any bug report for these two commands. The only relevant issue I found is #972, but it doesn't contain these two specific commands - they might have been not noticed when fixing that issue or this bug appeared later on.
@tastybento tastybento added Status: Under investigation Investigating the interest and the feasability of the issue. Type: Bug labels Nov 13, 2020
@tastybento tastybento self-assigned this Nov 13, 2020
@tastybento
Copy link
Member

Hmm, tricky. Expel can be fixed, Ban cannot. The problem here is the definition of "admin". If the admin is Op, then there is no issue. However, if the admin is ad admin because of perms, then there is an issue because perms can only be checked when the player is online.

Ban Command

The situation now:
Op:

  • Offline or online, vanished or not, message will be "That player cannot be banned." - so it's not possible to tell if an Op is vanished or not, the error is always the same.

Admin with the [gamemode].admin.noban perm:

  • Offline: perm cannot be checked, so the admin can be banned. As banning of offline players is allowed, this cannot be changed.
  • Online: perm is active, vanished or not, player sees "That player cannot be banned."

The only way to not expose a vanished perm-based admin would be to allow them to be banned, which of course, defeats the purpose of the [gamemode].admin.noban perm, so that's not really an option. So players can tell if a perm-based admin is online by trying to ban them.

Expel Command
This one is different because the player has to be on the island to be expelled.

The situation now:
Op (vanished or not):

  • Offline - "player is offline" error
  • Online, not on island - "not on island" error
  • Online, on island - "cannot expel" error

Admin with the [gamemode].admin.noexpel perm or [gamemode].mod.bypassexpel perm:

  • Offline - "player is offline" error
  • Online, not on island - "not on island" error
  • Online, on island - "cannot expel" error

This can be fixed so that if Op or Admin are vanished then the player will see the "player is offline" error.

tastybento added a commit that referenced this issue Nov 14, 2020
@tastybento
Prevent exposing vanished players with expel
5321e1d 
#1573
@piotrskibapl
Copy link
Author

@tastybento, thanks for the detailed response.
When it comes to the ban command, only solution I can think of in my case would be to remove the [gamemode].admin.noban permission and leave [gamemode].mod.bypassban only.
However, I'm running into an issue - I have acidisland.admin.noban permission set to false for the admin group, but other players still aren't able to ban me. Is there any other permission that could cause this?

@tastybento
Copy link
Member

Sorry for the late response (busy IRL) - Ops cannot be banned.

I think removing the admin.noban perm makes sense because there is a bypass ban permission.

@tastybento
Copy link
Member

It might be a good idea to remove the block on banning Ops too because they can rely on the bypass perm anyway.

@piotrskibapl
Copy link
Author

In my opinion, removing the block on banning Ops would be a good idea. Currently, in my case, it looks like it's impossible to disable the block on banning admins without a lot of permission changes - I'm using LuckPerms which overrides the vanilla OP system.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tastybento tastybento

Labels
Status: Under investigation Investigating the interest and the feasability of the issue. Type: Bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tastybento @piotrskibapl