fixed minor accesslevel vuln. reported by Hello=).

author: jak1 <jak1@themanaworld.org> 2022-12-15 12:11:37 +0000
committer: Jesusalva Jesusalva <jesusalva@themanaworld.org> 2022-12-15 12:11:37 +0000
commit: 33d50a92b8be36e194403027e1d2193a5b6a28e2 (patch)
tree: e7884d8475c363bc4c2ba09a2beefe63cc650669
parent: a01f9d8865fb62e993864257ba28dfab21435ae7 (diff)
download: manamarket-33d50a92b8be36e194403027e1d2193a5b6a28e2.tar.gz
manamarket-33d50a92b8be36e194403027e1d2193a5b6a28e2.tar.bz2
manamarket-33d50a92b8be36e194403027e1d2193a5b6a28e2.tar.xz
manamarket-33d50a92b8be36e194403027e1d2193a5b6a28e2.zip
1 files changed, 3 insertions, 0 deletions
diff --git a/main.py b/main.py
index 2f43894..cd4397e 100755
--- a/main.py
+++ b/main.py
@@ -422,6 +422,9 @@ def process_whisper(nick, msg, mapserv):
             return
 
         if broken_string[1].isdigit() and broken_string[2].isdigit():
+            if int(broken_string[1]) > user.get("accesslevel"):
+                mapserv.sendall(whisper(nick, "You can't give someone a higher accesslevel than your own."))
+                return
             al = int(broken_string[1])
             stalls = int(broken_string[2])
             player_name = " ".join(broken_string[3:])
author	jak1 <jak1@themanaworld.org>	2022-12-15 12:11:37 +0000
committer	Jesusalva Jesusalva <jesusalva@themanaworld.org>	2022-12-15 12:11:37 +0000
commit	33d50a92b8be36e194403027e1d2193a5b6a28e2 (patch)
tree	e7884d8475c363bc4c2ba09a2beefe63cc650669
parent	a01f9d8865fb62e993864257ba28dfab21435ae7 (diff)
download	manamarket-33d50a92b8be36e194403027e1d2193a5b6a28e2.tar.gz manamarket-33d50a92b8be36e194403027e1d2193a5b6a28e2.tar.bz2 manamarket-33d50a92b8be36e194403027e1d2193a5b6a28e2.tar.xz manamarket-33d50a92b8be36e194403027e1d2193a5b6a28e2.zip