MOO-cows Mailing List Archive

[Prev][Next][Index][Thread]

Re: Security




> Stock players shouldn't be able to @chparent themselves, that is a verb
> left to $builder.  make sure that new players are kids of $player, and not
> $builder.

Actually you may need to modify #4:@chparent, because a non-builder can 
still do something like '@chparent me to #4' and have it work.  At least, 
this was true on older cores; I've not tested it with a more recent core.

It seems to work because the verb is on the target parent, so even if the 
player class doesn't have the verb on them, they can still use the verb 
to chparent themselves upward to a builder or programmer or some other 
class that descends from #4.

I'd probably add some code in chparent along the lines of

 elseif (!($object_utils:isa(parent(player),$builder)))
   return E_PERM;

or some such.  I don't care if people reparent themselves on either of my 
moos so I don't have the code in there for this.

-Jackie Hamilton (kira@metronet.com)
http://www.metronet.com/~kira/



Follow-Ups:

Home | Subject Index | Thread Index