Check permission for shop name again after querying it

This protects people that use valid player names as admin shop names
 from people with the same username as well as other cases where the API
 is used to manage access to shops with certain special names.
This commit is contained in:
Phoenix616 2020-11-17 19:52:12 +01:00
parent 00fa83c56a
commit 9bf6e1abc1
No known key found for this signature in database
GPG Key ID: 40E2321E71738EB0

View File

@ -4,6 +4,7 @@ import com.Acrobot.Breeze.Utils.PriceUtil;
import com.Acrobot.ChestShop.Events.ItemParseEvent; import com.Acrobot.ChestShop.Events.ItemParseEvent;
import com.Acrobot.ChestShop.Events.PreShopCreationEvent; import com.Acrobot.ChestShop.Events.PreShopCreationEvent;
import com.Acrobot.ChestShop.Permission; import com.Acrobot.ChestShop.Permission;
import com.Acrobot.ChestShop.UUIDs.NameManager;
import org.bukkit.Bukkit; import org.bukkit.Bukkit;
import org.bukkit.entity.Player; import org.bukkit.entity.Player;
import org.bukkit.event.EventHandler; import org.bukkit.event.EventHandler;
@ -15,6 +16,7 @@ import java.util.Locale;
import static com.Acrobot.ChestShop.Events.PreShopCreationEvent.CreationOutcome.NO_PERMISSION; import static com.Acrobot.ChestShop.Events.PreShopCreationEvent.CreationOutcome.NO_PERMISSION;
import static com.Acrobot.ChestShop.Permission.*; import static com.Acrobot.ChestShop.Permission.*;
import static com.Acrobot.ChestShop.Signs.ChestShopSign.ITEM_LINE; import static com.Acrobot.ChestShop.Signs.ChestShopSign.ITEM_LINE;
import static com.Acrobot.ChestShop.Signs.ChestShopSign.NAME_LINE;
import static com.Acrobot.ChestShop.Signs.ChestShopSign.PRICE_LINE; import static com.Acrobot.ChestShop.Signs.ChestShopSign.PRICE_LINE;
import static org.bukkit.event.EventPriority.HIGH; import static org.bukkit.event.EventPriority.HIGH;
@ -27,6 +29,13 @@ public class PermissionChecker implements Listener {
public static void onPreShopCreation(PreShopCreationEvent event) { public static void onPreShopCreation(PreShopCreationEvent event) {
Player player = event.getPlayer(); Player player = event.getPlayer();
if (event.getOwnerAccount() != null
&& !NameManager.canUseName(player, OTHER_NAME_CREATE, event.getOwnerAccount().getShortName())) {
event.setSignLine(NAME_LINE, "");
event.setOutcome(NO_PERMISSION);
return;
}
String priceLine = event.getSignLine(PRICE_LINE); String priceLine = event.getSignLine(PRICE_LINE);
String itemLine = event.getSignLine(ITEM_LINE); String itemLine = event.getSignLine(ITEM_LINE);