Hemiptera Bugtracker at bugs.linux-forks.de

advtrains

access protion of the driver stand broken again

Send replies to 68@bugs.linux-forks.de or using the Form below.
avatar From: OP
Sun, 14 Oct 2018 14:34:01 -0000

The limitation for the access to the driver stand is again broken.

This is a very dangerous problem, as everyone can now "play" with any trains, be it public lines or private lines.

Currently are on the server I play several subway lines broken since a few days after someone decoupled several 3 wagon trains in station. Repairing and then restarting stopps after a few minutes, because then other broken trains block again the lines.

On the priority level of syslog I give this problem a level of "alert", one more problem or griefing attack and advtrains becomes unusable on multiplayer servers.

(a few months ago the limitations worked: I was able to lock myself out from the driver stand)

avatar From: Developer
Mon, 15 Oct 2018 08:36:01 -0000

I know that the current security system in its totality is broken, does

not work, and kills cute little kittens. This is an issue I clearly have

to spend time on, and completely reimplement everything, because fixing

it would be very hard. I reverted the privilege system change I wrote

half a year ago, because it did introduce more bugs than it fixed, until

I (or someone else) come up with a better solution.

Leaving this issue open as a reminder.

avatar From: OP
Thu, 18 Oct 2018 16:04:01 -0000

The current situation leaves all trains open to serious sabotaging - I'm shutting down all lines I controll after hit with such sabotage.

IMHO is advtrains therefore currently unusable / totally broken.

avatar From: Developer
Thu, 18 Oct 2018 17:18:01 -0000

Here is the offending snippet from trainlogic.lua in the master branch.

Decoupling only checks if coupling is locked and if player has

train_operator priv. Couples should be locked to non-owners by default,

with the option of adding a list of names that may uncouple the wagons.

function advtrains.safe_decouple_wagon(w_id, pname)

if not minetest.check_player_privs(pname, "train_operator") then

minetest.chat_send_player(pname, "Missing train_operator privilege")

return false

end

local data = advtrains.wagons[w_id]

if data.dcpl_lock then

minetest.chat_send_player(pname, "Couple is locked (ask owner or admin to unlock it)")

return false

end

atprint("wagon:discouple() Splitting train", data.train_id)

local train = advtrains.trains[data.train_id]

advtrains.log("Discouple", pname, train.last_pos, train.text_outside)

advtrains.split_train_at_wagon(w_id)

return true

end

avatar From: OP
Fri, 19 Oct 2018 11:02:01 -0000

I think that changing the behaviour on (de)coupling is a pointless and dangerous working on symptoms - and as long as this serious bug is not fixed it even makes coupling for other players - even when asked to do it - impossible. (not able to add players to a whitelist -> no other players able to (de)couple )

avatar From: Developer
Fri, 19 Oct 2018 11:11:01 -0000

Exactly, a whitelist should be added.

Reply