collapse collapse
* User Info
 
 
Welcome, Guest. Please login or register.
* Search

* Board Stats
  • stats Total Members: 989
  • stats Total Posts: 18366
  • stats Total Topics: 2501
  • stats Total Categories: 7
  • stats Total Boards: 35
  • stats Most Online: 1144

Author Topic: Security.php bugs  (Read 4055 times)

0 Members and 2 Guests are viewing this topic.

Offline Glarawyn

  • BeBot Hero
  • ******
  • Posts: 521
  • Karma: +0/-0
Security.php bugs
« on: January 29, 2008, 06:50:09 am »
I've been finding some fairly serious bugs in security related to the mains cache.

get_access_level() was modified to return cached values without performing all checks for highest access level, which I think is what caused the problem but I'm not 100% sure.

I discovered the issue by adding and removing users from a custom group. When I added a user with an access level of MEMBER to a group which had an access of LEADER, the user did not get LEADER access until the bot was restarted.

After restarting the bot and removing the user from the security group, the user's access level did not return to MEMBER until the bot was restarted.

I didn't note the original line number, but somewhere around L1550 get_access_level() was returning information from the mains cache that was no longer up to date due to the group membership changes. I've removed this in the 0.4 branch and things are working as expected now.

Somewhere along the way we may have lost the code that updates the security cache when adding and removing group members, or we created a bug....

Ideally we should be returning cached information if it is available, but something seems wrong with our logic at the moment. Someone (most likely me, oh joy) needs to take a serious look at Security.php do the following:

  • If there is a change that might cause a chaced access level to chance, recheck and recache.
  • Make sure that /tell botname security whois player returns expected results when changing access levels for groups, adding/removing group members, chaning access levels for org ranks, etc.
  • In general just update Security.php to get it up to BeBot's formatting standards (indents, brackets, etc.)

Offline Alreadythere

  • BeBot Maintainer
  • BeBot Hero
  • ******
  • Posts: 1288
  • Karma: +0/-0
Re: Security.php bugs
« Reply #1 on: January 29, 2008, 11:02:58 am »
I added the caching for mains in get_access_level(). I tried to adapt all cases where access rights get updated, looks like I missed some. Ideally the functions that can influence the access level of a character should update the mains cache as needed too.

I added the mains cache because especially with the extension for alts the checks and function calls done in get_access_level() got pretty high.

 

* Recent Posts
Com bot module by bitnykk
[November 25, 2024, 05:36:11 pm ]


0.8.x updates for AO by bitnykk
[June 23, 2024, 03:19:47 pm ]


0.8.x updates for AoC by bitnykk
[June 23, 2024, 03:19:44 pm ]


[AoC] special char for items module by bitnykk
[February 09, 2024, 09:41:18 pm ]


BeBot still alive & kicking ! by bitnykk
[December 17, 2023, 12:58:44 am ]

* Who's Online
  • Dot Guests: 106
  • Dot Hidden: 0
  • Dot Users: 0

There aren't any users online.
* Forum Staff
bitnykk admin bitnykk
Administrator
Khalem admin Khalem
Administrator
WeZoN gmod WeZoN
Global Moderator
SimplePortal 2.3.7 © 2008-2024, SimplePortal