MOO-cows Mailing List Archive


Re: more questions

> In message <>, Tim MacLachlan writes:
> > 
> > 1. how do i create an object that cannot be moved by anyone other than
> > me? (hope you dont mind me including your question, Stephen)
> @verb foo:moveto this none this
> @program foo:moveto
> if (player == this.owner)
>   pass(@args);
> else
>   player:tell("You fail to move ",, " to ", args[1].name, ".");
> endif

This is actually a small security leak.  The reason is, I could reprogram
my :tell verb (a commonly called one) to try to move an object with the
above code installed to wherever.  When that object's owner pages me,
says something in a room I'm in, or does one of a zillion other things
that could result in my :tell being called, then 'player' in that verb call
will pass that permissions check.

A more robust approach would be:

if ($perm_utils:controls (caller_perms(), this) && (player == this.owner))

This one checks to see that the owner of the verb calling this:moveto()
has permissions for this object (i.e. the owner or a wizard) and that the
task that resulted in the verbcall was started by this object's owner.

That way, my malicious :tell verb would fail to move the object.


Home | Subject Index | Thread Index