Commits

Andrew Godwin committed 0cdf5b8

Fix writer/op security flaw

Comments (0)

Files changed (2)

myne/plugins/ops.py

     @username_world_command
     def commandOp(self, username, world):
         "/op username [world] - Adds username to the op list for the world."
+        if not self.client.isAdmin() and world != self.client.world:
+            self.client.sendServerMessage("You are not an admin!")
+            return
         world.ops.add(username)
         self.client.sendServerMessage("Opped %s" % username)
         if username in self.client.factory.usernames:
     @username_world_command
     def commandDeop(self, username, world):
         "/deop username [world] - Removes username from the op list for the world."
+        if not self.client.isAdmin() and world != self.client.world:
+            self.client.sendServerMessage("You are not an admin!")
+            return
         try:
             world.ops.remove(username)
         except KeyError:

myne/plugins/writers.py

     @username_world_command
     def commandWriter(self, username, world):
         "/writer username [world] - Adds username to the 'writers' list for the world."
+        if not self.client.isAdmin() and world != self.client.world:
+            self.client.sendServerMessage("You are not an admin!")
+            return
         world.writers.add(username)
         self.client.sendServerMessage("Writered %s" % username)
         if username in self.client.factory.usernames:
     @username_world_command
     def commandDewriter(self, username, world):
         "/dewriter username - Removes username from the 'writers' list for the world."
+        if not self.client.isAdmin() and world != self.client.world:
+            self.client.sendServerMessage("You are not an admin!")
+            return
         try:
             world.writers.remove(username)
         except KeyError:
             self.client.sendServerMessage("This world has no writers.")
         else:
             self.client.sendServerList(["Writers for %s:" % self.client.world.id] + list(self.client.world.writers))
-    
+