beu/TrackManiaControl
1
0
Fork 0
Code Issues 11 Pull Requests Releases Wiki Activity

check permission to prevent CustomEvent injection

Browse Source
This commit is contained in:
Beu
2025-06-22 11:45:02 +02:00
parent 827e59ff93
commit aefff423f7
1 changed files with 15 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
core/Maps/DirectoryBrowser.php
View File

@ -483,6 +483,11 @@ class DirectoryBrowser implements ManialinkPageAnswerListener {
* @param Player $player * @param Player $player
*/ */
public function handleAddFile(array $actionCallback, Player $player) { public function handleAddFile(array $actionCallback, Player $player) {
if (!$this->maniaControl->getAuthenticationManager()->checkPermission($player, MapManager::SETTING_PERMISSION_ADD_MAP)) {
$this->maniaControl->getAuthenticationManager()->sendNotAllowed($player);
return;
}
$actionName = $actionCallback[1][2]; $actionName = $actionCallback[1][2];
$fileName = base64_decode(substr($actionName, strlen(self::ACTION_ADD_FILE))); $fileName = base64_decode(substr($actionName, strlen(self::ACTION_ADD_FILE)));
$folderPath = $player->getCache($this, self::CACHE_FOLDER_PATH); $folderPath = $player->getCache($this, self::CACHE_FOLDER_PATH);
@ -542,6 +547,11 @@ class DirectoryBrowser implements ManialinkPageAnswerListener {
* @param Player $player * @param Player $player
*/ */
public function handleEraseFile(array $actionCallback, Player $player) { public function handleEraseFile(array $actionCallback, Player $player) {
if (!$this->maniaControl->getAuthenticationManager()->checkPermission($player, MapManager::SETTING_PERMISSION_ERASE_MAP)) {
$this->maniaControl->getAuthenticationManager()->sendNotAllowed($player);
return;
}
$actionName = $actionCallback[1][2]; $actionName = $actionCallback[1][2];
$fileName = base64_decode(substr($actionName, strlen(self::ACTION_ERASE_FILE))); $fileName = base64_decode(substr($actionName, strlen(self::ACTION_ERASE_FILE)));
$folderPath = $player->getCache($this, self::CACHE_FOLDER_PATH); $folderPath = $player->getCache($this, self::CACHE_FOLDER_PATH);
@ -569,6 +579,11 @@ class DirectoryBrowser implements ManialinkPageAnswerListener {
* @param Player $player * @param Player $player
*/ */
public function handleCreateFolder(array $actionCallback, Player $player) { public function handleCreateFolder(array $actionCallback, Player $player) {
if (!$this->maniaControl->getAuthenticationManager()->checkPermission($player, MapManager::SETTING_PERMISSION_ADD_MAP)) {
$this->maniaControl->getAuthenticationManager()->sendNotAllowed($player);
return;
}
$name = trim($actionCallback[1][3][0]["Value"]); $name = trim($actionCallback[1][3][0]["Value"]);
var_dump($actionCallback); var_dump($actionCallback);