Merge branch 'jak1/priv_esc_bugfix' into 'master'

fixed minor accesslevel vuln. reported by Hello=). See merge request legacy/manamarket!15
author: Jesusalva Jesusalva <jesusalva@themanaworld.org> 2022-12-15 12:11:37 +0000
committer: Jesusalva Jesusalva <jesusalva@themanaworld.org> 2022-12-15 12:11:37 +0000
commit: 00318e4c05a399bcfc5bbca5453a302176cd52fa (patch)
tree: e7884d8475c363bc4c2ba09a2beefe63cc650669
parent: a01f9d8865fb62e993864257ba28dfab21435ae7 (diff)
parent: 33d50a92b8be36e194403027e1d2193a5b6a28e2 (diff)
download: manamarket-00318e4c05a399bcfc5bbca5453a302176cd52fa.tar.gz
manamarket-00318e4c05a399bcfc5bbca5453a302176cd52fa.tar.bz2
manamarket-00318e4c05a399bcfc5bbca5453a302176cd52fa.tar.xz
manamarket-00318e4c05a399bcfc5bbca5453a302176cd52fa.zip
1 files changed, 3 insertions, 0 deletions
diff --git a/main.py b/main.py
index 2f43894..cd4397e 100755
--- a/main.py
+++ b/main.py
@@ -422,6 +422,9 @@ def process_whisper(nick, msg, mapserv):
             return
 
         if broken_string[1].isdigit() and broken_string[2].isdigit():
+            if int(broken_string[1]) > user.get("accesslevel"):
+                mapserv.sendall(whisper(nick, "You can't give someone a higher accesslevel than your own."))
+                return
             al = int(broken_string[1])
             stalls = int(broken_string[2])
             player_name = " ".join(broken_string[3:])
author	Jesusalva Jesusalva <jesusalva@themanaworld.org>	2022-12-15 12:11:37 +0000
committer	Jesusalva Jesusalva <jesusalva@themanaworld.org>	2022-12-15 12:11:37 +0000
commit	00318e4c05a399bcfc5bbca5453a302176cd52fa (patch)
tree	e7884d8475c363bc4c2ba09a2beefe63cc650669
parent	a01f9d8865fb62e993864257ba28dfab21435ae7 (diff)
parent	33d50a92b8be36e194403027e1d2193a5b6a28e2 (diff)
download	manamarket-00318e4c05a399bcfc5bbca5453a302176cd52fa.tar.gz manamarket-00318e4c05a399bcfc5bbca5453a302176cd52fa.tar.bz2 manamarket-00318e4c05a399bcfc5bbca5453a302176cd52fa.tar.xz manamarket-00318e4c05a399bcfc5bbca5453a302176cd52fa.zip