fix: add authorization checks to admin-level CBA server events

[fank]

Summary

• Add remoteExecutedOwner + OCAP_hasAdminControls authorization checks to 5 admin-level CBA server events: record, pause, exportData, setFocusStart, setFocusEnd
• Server-local execution (mission scripts, remoteExecutedOwner == 0) always allowed
• Remote callers must have OCAP admin controls (Arma server admin OR in OCAP_administratorList)
• Data recording events (customEvent, counterEvent) remain unrestricted — designed to be called from any mission script

Context

CBA_fnc_serverEvent can be called from any client, meaning any player could trigger admin actions like stopping recording or forcing an export. This adds access control using the existing OCAP_hasAdminControls variable already managed by fnc_adminUIcontrol.sqf.

Test plan

• Verify server-side mission scripts (remoteExecutedOwner == 0) can still call all events
• Verify admin diary controls (client-side CBA_fnc_serverEvent) still work for Arma admins
• Verify admin diary controls work for OCAP admin list players (non-Arma-admin)
• Verify non-admin players calling events get blocked with RPT warning
• Verify customEvent and counterEvent remain callable by any client

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the security posture of admin-level server events by introducing robust authorization checks. It prevents unauthorized clients from triggering sensitive actions such as recording control or data export, ensuring that only server-local scripts or authenticated administrators can execute these commands. Additionally, it includes new documentation outlining the design and implementation plan for an upcoming feature that will allow mission makers to define focus ranges directly via script.

Highlights

• Authorization Function Added: Introduced OCAP_recorder_isAuthorizedEventCaller, a new function to centralize and manage authorization logic for server events.
• Admin Event Authorization: Implemented authorization checks for five critical admin-level CBA server events: record, pause, exportData, setFocusStart, and setFocusEnd.
• Execution Context Handling: Ensured that server-local execution (e.g., mission scripts with remoteExecutedOwner == 0) bypasses authorization, while remote callers must possess OCAP admin controls (OCAP_hasAdminControls). Unrestricted events like customEvent and counterEvent remain unaffected.
• Future Feature Planning: Added new documentation files outlining the design and implementation plan for a future 'Script-Side Focus Range' feature, which will allow mission makers to define focus ranges directly via script.

Changelog

• addons/recorder/fnc_addEventMission.sqf
  • Added OCAP_recorder_isAuthorizedEventCaller function.
  • Integrated authorization checks into record, pause, exportData, setFocusStart, and setFocusEnd event handlers.
  • Updated documentation for OCAP_listener_setFocusStart and OCAP_listener_setFocusEnd.
• docs/plans/2026-03-06-script-side-focus-design.md
  • Added a new design document detailing the 'Script-Side Focus Range' feature.
• docs/plans/2026-03-06-script-side-focus-plan.md
  • Added a new implementation plan document for the 'Script-Side Focus Range' feature.

Activity

• No specific activity (comments, reviews, progress) has been recorded for this pull request yet.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces important authorization checks for several admin-level CBA server events, effectively addressing a potential security vulnerability. The implementation is clean and robust, correctly distinguishing between server-local and remote calls, and leveraging an existing admin control flag for remote callers. The checks are consistently applied to all relevant events (record, pause, exportData, setFocusStart, setFocusEnd) while correctly leaving other events unrestricted. The code is well-written and handles edge cases like disconnected players gracefully. The pull request also includes new design and implementation plan documents for the script-side focus feature, providing context for some of the secured events. Overall, the changes are excellent and I have no suggestions for improvement.