MOO-cows Mailing List Archive
[Prev][Next][Index][Thread]
Re: more questions
> In message <330E48B0.70D7@itchen.hants.gov.uk>, Tim MacLachlan writes:
> >
> > 1. how do i create an object that cannot be moved by anyone other than
> > me? (hope you dont mind me including your question, Stephen)
>
> @verb foo:moveto this none this
> @program foo:moveto
> if (player == this.owner)
> pass(@args);
> else
> player:tell("You fail to move ", this.name, " to ", args[1].name, ".");
> endif
This is actually a small security leak. The reason is, I could reprogram
my :tell verb (a commonly called one) to try to move an object with the
above code installed to wherever. When that object's owner pages me,
says something in a room I'm in, or does one of a zillion other things
that could result in my :tell being called, then 'player' in that verb call
will pass that permissions check.
A more robust approach would be:
if ($perm_utils:controls (caller_perms(), this) && (player == this.owner))
This one checks to see that the owner of the verb calling this:moveto()
has permissions for this object (i.e. the owner or a wizard) and that the
task that resulted in the verbcall was started by this object's owner.
That way, my malicious :tell verb would fail to move the object.
Follow-Ups:
Home |
Subject Index |
Thread Index