[7046] Do more security level checks in commands using HasLowerSecurity. Make use .account set addon safe for players.

src/game/Chat.cpp

@@ -627,29 +627,46 @@ bool ChatHandler::isAvailable(ChatCommand const& cmd) const
     return m_session->GetSecurity() >= cmd.SecurityLevel;
 }
 
-bool ChatHandler::HasLowerSecurity(Player* target, uint64 guid)
+bool ChatHandler::HasLowerSecurity(Player* target, uint64 guid, bool strong)
 {
-    uint32 target_sec;
+    WorldSession* target_session = NULL;
-
+    uint32 target_account = 0;
-    if (!sWorld.getConfig(CONFIG_GM_LOWER_SECURITY))
-        return false;
-
-    // allow everything from RA console
-    if (!m_session)
-        return false;
 
     if (target)
-        target_sec = target->GetSession()->GetSecurity();
+        target_session = target->GetSession();
     else if (guid)
-        target_sec = accmgr.GetSecurity(objmgr.GetPlayerAccountIdByGUID(guid));
+        target_account = objmgr.GetPlayerAccountIdByGUID(guid);
-    else
+
+    if(!target_session && !target_account)
     {
         SendSysMessage(LANG_PLAYER_NOT_FOUND);
         SetSentErrorMessage(true);
         return true;
     }
 
-    if (m_session->GetSecurity() < target_sec)
+    return HasLowerSecurityAccount(target_session,target_account,strong);
+}
+
+bool ChatHandler::HasLowerSecurityAccount(WorldSession* target, uint32 target_account, bool strong)
+{
+    uint32 target_sec;
+
+    // ignore only for non-players for non strong checks (when allow apply command at least to same sec level)
+    if (m_session->GetSecurity() > SEC_PLAYER && !strong && !sWorld.getConfig(CONFIG_GM_LOWER_SECURITY))
+        return false;
+
+    // allow everything from console and RA console
+    if (!m_session)
+        return false;
+
+    if (target)
+        target_sec = target->GetSecurity();
+    else if (target_account)
+        target_sec = accmgr.GetSecurity(target_account);
+    else
+        return true;                                        // caller must report error for (target==NULL && target_account==0)
+
+    if (m_session->GetSecurity() < target_sec || strong && m_session->GetSecurity() <= target_sec)
     {
         SendSysMessage(LANG_YOURS_SECURITY_IS_LOW);
         SetSentErrorMessage(true);

src/game/Chat.h

@@ -77,7 +77,8 @@ class ChatHandler
 
         virtual bool isAvailable(ChatCommand const& cmd) const;
         virtual bool needReportToTarget(Player* chr) const;
-        bool HasLowerSecurity(Player* target, uint64 guid);
+        bool HasLowerSecurity(Player* target, uint64 guid, bool strong = false);
+        bool HasLowerSecurityAccount(WorldSession* target, uint32 account, bool strong = false);
 
         void SendGlobalSysMessage(const char *str);
 

src/game/ChatHandler.cpp

@@ -190,7 +190,7 @@ void WorldSession::HandleMessagechatOpcode( WorldPacket & recv_data )
 
             Player *player = objmgr.GetPlayer(to.c_str());
             uint32 tSecurity = GetSecurity();
-            uint32 pSecurity = player ? player->GetSession()->GetSecurity() : 0;
+            uint32 pSecurity = player ? player->GetSession()->GetSecurity() : SEC_PLAYER;
             if(!player || tSecurity == SEC_PLAYER && pSecurity > SEC_PLAYER && !player->isAcceptWhispers())
             {
                 WorldPacket data(SMSG_CHAT_PLAYER_NOT_FOUND, (to.size()+1));

src/game/Level2.cpp

@@ -86,27 +86,11 @@ bool ChatHandler::HandleMuteCommand(const char* args)
 
     Player *chr = objmgr.GetPlayer(guid);
 
-    // check security
+    // must have strong lesser security level
-    uint32 account_id = 0;
+    if(HasLowerSecurity (chr,guid,true))
-    uint32 security = 0;
-
-    if (chr)
-    {
-        account_id = chr->GetSession()->GetAccountId();
-        security = chr->GetSession()->GetSecurity();
-    }
-    else
-    {
-        account_id = objmgr.GetPlayerAccountIdByGUID(guid);
-        security = accmgr.GetSecurity(account_id);
-    }
-
-    if(m_session && security >= m_session->GetSecurity())
-    {
-        SendSysMessage(LANG_YOURS_SECURITY_IS_LOW);
-        SetSentErrorMessage(true);
         return false;
-    }
+
+    uint32 account_id = chr ? chr->GetSession()->GetAccountId() : objmgr.GetPlayerAccountIdByGUID(guid);
 
     time_t mutetime = time(NULL) + notspeaktime*60;
 
@@ -152,27 +136,11 @@ bool ChatHandler::HandleUnmuteCommand(const char* args)
 
     Player *chr = objmgr.GetPlayer(guid);
 
-    // check security
+    // must have strong lesser security level
-    uint32 account_id = 0;
+    if(HasLowerSecurity (chr,guid,true))
-    uint32 security = 0;
-
-    if (chr)
-    {
-        account_id = chr->GetSession()->GetAccountId();
-        security = chr->GetSession()->GetSecurity();
-    }
-    else
-    {
-        account_id = objmgr.GetPlayerAccountIdByGUID(guid);
-        security = accmgr.GetSecurity(account_id);
-    }
-
-    if(m_session && security >= m_session->GetSecurity())
-    {
-        SendSysMessage(LANG_YOURS_SECURITY_IS_LOW);
-        SetSentErrorMessage(true);
         return false;
-    }
+
+    uint32 account_id = chr ? chr->GetSession()->GetAccountId() : objmgr.GetPlayerAccountIdByGUID(guid);
 
     if (chr)
     {

src/game/Level3.cpp

@@ -696,7 +696,6 @@ bool ChatHandler::HandleAccountSetGmLevelCommand(const char* args)
 
     std::string targetAccountName;
     uint32 targetAccountId = 0;
-    uint32 targetSecurity = 0;
 
     /// only target player different from self allowed (if targetPlayer!=NULL then not console)
     Player* targetPlayer = getSelectedPlayer();
@@ -710,13 +709,6 @@ bool ChatHandler::HandleAccountSetGmLevelCommand(const char* args)
         arg2 = arg1;
 
         targetAccountId = targetPlayer->GetSession()->GetAccountId();
-        targetSecurity = targetPlayer->GetSession()->GetSecurity();
-        if(!accmgr.GetName(targetAccountId,targetAccountName))
-        {
-            PSendSysMessage(LANG_ACCOUNT_NOT_EXIST,targetAccountName.c_str());
-            SetSentErrorMessage(true);
-            return false;
-        }
     }
     else
     {
@@ -733,7 +725,12 @@ bool ChatHandler::HandleAccountSetGmLevelCommand(const char* args)
         }
 
         targetAccountId = accmgr.GetId(targetAccountName);
-        targetSecurity = accmgr.GetSecurity(targetAccountId);
+        if(!targetAccountId)
+        {
+            PSendSysMessage(LANG_ACCOUNT_NOT_EXIST,targetAccountName.c_str());
+            SetSentErrorMessage(true);
+            return false;
+        }
     }
 
     int32 gm = (int32)atoi(arg2);
@@ -744,12 +741,14 @@ bool ChatHandler::HandleAccountSetGmLevelCommand(const char* args)
         return false;
     }
 
-    /// m_session==NULL only for console
-    uint32 plSecurity = m_session ? m_session->GetSecurity() : SEC_CONSOLE;
-
     /// can set security level only for target with less security and to less security that we have
     /// This is also reject self apply in fact
-    if(targetSecurity >= plSecurity || uint32(gm) >= plSecurity )
+    if(HasLowerSecurityAccount(NULL,targetAccountId,true))
+        return false;
+
+    /// account can't set security to same or grater level, need more power GM or console
+    uint32 plSecurity = m_session ? m_session->GetSecurity() : SEC_CONSOLE;
+    if (uint32(gm) >= plSecurity )
     {
         SendSysMessage(LANG_YOURS_SECURITY_IS_LOW);
         SetSentErrorMessage(true);
@@ -798,19 +797,10 @@ bool ChatHandler::HandleAccountSetPasswordCommand(const char* args)
         return false;
     }
 
-    uint32 targetSecurity = accmgr.GetSecurity(targetAccountId);
-
-    /// m_session==NULL only for console
-    uint32 plSecurity = m_session ? m_session->GetSecurity() : SEC_CONSOLE;
-
     /// can set password only for target with less security
     /// This is also reject self apply in fact
-    if (targetSecurity >= plSecurity)
+    if(HasLowerSecurityAccount (NULL,targetAccountId,true))
-    {
-        SendSysMessage (LANG_YOURS_SECURITY_IS_LOW);
-        SetSentErrorMessage (true);
         return false;
-    }
 
     if (strcmp(szPassword1,szPassword2))
     {
@@ -6192,8 +6182,15 @@ bool ChatHandler::HandleAccountSetAddonCommand(const char* args)
             SetSentErrorMessage(true);
             return false;
         }
+
     }
 
+    // Let set addon state only for lesser (strong) security level
+    // or to self account
+    if (m_session && m_session->GetAccountId () != account_id &&
+        HasLowerSecurityAccount (NULL,account_id,true))
+        return false;
+
     int lev=atoi(szExp);                                    //get int anyway (0 if error)
     if(lev < 0)
         return false;

src/mangosd/CliRunnable.cpp

@@ -80,19 +80,10 @@ bool ChatHandler::HandleAccountDeleteCommand(const char* args)
     }
 
     /// Commands not recommended call from chat, but support anyway
-    if(m_session)
+    /// can delete only for account with less security
-    {
+    /// This is also reject self apply in fact
-        uint32 targetSecurity = accmgr.GetSecurity(account_id);
+    if(HasLowerSecurityAccount (NULL,account_id,true))
-
+        return false;
-        /// can delete only for account with less security
-        /// This is also reject self apply in fact
-        if (targetSecurity >= m_session->GetSecurity())
-        {
-            SendSysMessage (LANG_YOURS_SECURITY_IS_LOW);
-            SetSentErrorMessage (true);
-            return false;
-        }
-    }
 
     AccountOpResult result = accmgr.DeleteAccount(account_id);
     switch(result)

src/shared/revision_nr.h

@@ -1,4 +1,4 @@
 #ifndef __REVISION_NR_H__
 #define __REVISION_NR_H__
- #define REVISION_NR "7045"
+ #define REVISION_NR "7046"
 #endif // __REVISION_NR_H__