MOO-cows Mailing List Archive
Re: Means of gathering data
>Please explain to me the nature of the insecurity. To me, it seems fine--
>'player' is the object number of the player who initiated the task
>that resulted in this code being run. If that player's .wizard = 0 then
>they will get E_PERM.
Wizards are constantly calling verbs owned by other non-wizard players,
just by looking at them or moving to their rooms, for example.
So, if a player embedded a call to that verb inside their
look_self and got a wizard to look at e, then the verb would
check that player.wizard == 1 and then perform the restricted
Typically, you wish to look at the permissions of the CALLING verb;
the verb that calls the current verb.
So, you'd say something like
to return an error if the calling verb didn't have wizard permissions.
Permissioning in MOO is not obvious but it does work very well
if you are careful. (We once found a +w verb with wizard permissions
on Id... which had caused a severe security breach!)
Tom Ritchford email@example.com, firstname.lastname@example.org
Verge's "Little Idiot" -- Music for the mentally peculiar.
Subject Index |