MOO-cows Mailing List Archive


Re: Caller & Player

On Wed, 17 Jul 1996, Mentor wrote:

> The following example is taken out of EricM@BioMOO@Diversity University 
> security manual.
> -- quotation start --
> Why is it unacceptable to test "player" for security on +x verbs?
>   I'll give an example. Loro the lazy wizard writes a +x verb that can 
> recycle
> any object and tests permissions with "if
> (!$perm_utils:controls(player,this))" at the verb's beginning.  Semli the
> sneaky programmer builds an object and adds a "tell" verb to it (ie. a 
> verb that gets called any time someone in the same room speaks).  The 
> "tell" verb calls Loro's +x verb and tells it to recycle all of Loro's 
> objects.  Semli puts the object in Loro's room...and Loro gets a nasty 
> surprise after connecting.  Neato eh!   Note that "player" will be the 
> person speaking (Loro in this case), because "player" is set to whoever 
> initiates the action, and can only be changed by wiz-permed verbs.  
> Generally, it stays the same from the task's start to it's finish.  Now, 
> if Loro had tested caller_perms(), then Semli's call would have been caught 
> as one that  did not have permission to be recycling objects. Got it?

Thanks Mentor for your answer ;)

But, the things I don't understand in this example are:
-In this case, the caller shouldn't also be Loro?
_What does caller_perms() do?


Follow-Ups: References:

Home | Subject Index | Thread Index