MOO-cows Mailing List Archive


Re: Means of gathering data

>Please explain to me the nature of the insecurity.  To me, it seems fine--
>'player' is the object number of the player who initiated the task
>that resulted in this code being run.  If that player's .wizard = 0 then
>they will get E_PERM.

Wizards are constantly calling verbs owned by other non-wizard players,
just by looking at them or moving to their rooms, for example.

So, if a player embedded a call to that verb inside their
look_self and got a wizard to look at e, then the verb would
check that player.wizard == 1 and then perform the restricted

Typically, you wish to look at the permissions of the CALLING verb;
the verb that calls the current verb.

So, you'd say something like

if (!caller_perms().wizard)
  return E_PERM;

to return an error if the calling verb didn't have wizard permissions.

Permissioning in MOO is not obvious but it does work very well
if you are careful.  (We once found a +w verb with wizard permissions
on Id... which had caused a severe security breach!)


Tom Ritchford,

Verge's "Little Idiot" -- Music for the mentally peculiar.


Home | Subject Index | Thread Index