From 33d50a92b8be36e194403027e1d2193a5b6a28e2 Mon Sep 17 00:00:00 2001
From: jak1 <jak1@themanaworld.org>
Date: Thu, 15 Dec 2022 12:11:37 +0000
Subject: fixed minor accesslevel vuln. reported by Hello=).

---
 main.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/main.py b/main.py
index 2f43894..cd4397e 100755
--- a/main.py
+++ b/main.py
@@ -422,6 +422,9 @@ def process_whisper(nick, msg, mapserv):
             return
 
         if broken_string[1].isdigit() and broken_string[2].isdigit():
+            if int(broken_string[1]) > user.get("accesslevel"):
+                mapserv.sendall(whisper(nick, "You can't give someone a higher accesslevel than your own."))
+                return
             al = int(broken_string[1])
             stalls = int(broken_string[2])
             player_name = " ".join(broken_string[3:])
-- 
cgit v1.2.3-60-g2f50