event permissions

2025-12-09 16:07:40 +00:00 · 2020-10-07 14:43:53 -07:00
parent 89cfde9c34
commit 8e83dcd697
11 changed files with 44 additions and 3 deletions
--- a/code/__DEFINES/admin.dm
+++ b/code/__DEFINES/admin.dm
@@ -35,8 +35,9 @@
 #define R_SPAWN			(1<<12)
 #define R_AUTOLOGIN		(1<<13)
 #define R_DBRANKS		(1<<14)
+#define R_SENSITIVE		(1<<15)

-#define R_DEFAULT R_AUTOLOGIN
+#define R_DEFAULT R_AUTOLOGIN | R_SENSITIVE

 #define R_EVERYTHING ALL //the sum of all other rank permissions, used for +EVERYTHING

--- a/code/__HELPERS/type2type.dm
+++ b/code/__HELPERS/type2type.dm
@@ -225,6 +225,8 @@
 		. += "[seperator]AUTOLOGIN"
 	if(rights & R_DBRANKS)
 		. += "[seperator]DBRANKS"
+	if(rights & R_SENSITIVE)
+		. += "[seperator]SENSITIVE"
 	if(!.)
 		. = "NONE"
 	return .
--- a/code/_globalvars/bitfields.dm
+++ b/code/_globalvars/bitfields.dm
@@ -67,7 +67,8 @@ GLOBAL_LIST_INIT(bitfields, list(
 		"SOUNDS" = R_SOUNDS,
 		"SPAWN" = R_SPAWN,
 		"AUTOLOGIN" = R_AUTOLOGIN,
-		"DBRANKS" = R_DBRANKS
+		"DBRANKS" = R_DBRANKS,
+		"SENSITIVE" = R_SENSITIVE
 		),
 	"interaction_flags_atom" = list(
 		"INTERACT_ATOM_REQUIRES_ANCHORED" = INTERACT_ATOM_REQUIRES_ANCHORED,
--- a/code/modules/admin/admin_ranks.dm
+++ b/code/modules/admin/admin_ranks.dm
@@ -44,6 +44,11 @@ GLOBAL_PROTECT(protected_ranks)
 /datum/admin_rank/vv_edit_var(var_name, var_value)
 	return FALSE

+/datum/admin_rank/CanProcCall(procname)
+	. = ..()
+	if(!check_rights(R_SENSITIVE))
+		return FALSE
+
 /proc/admin_keyword_to_flag(word, previous_rights=0)
 	var/flag = 0
 	switch(ckey(word))
@@ -79,6 +84,8 @@ GLOBAL_PROTECT(protected_ranks)
 			flag = R_AUTOLOGIN
 		if("dbranks")
 			flag = R_DBRANKS
+		if("sensitive")
+			flag = R_SENSITIVE
 		if("@","prev")
 			flag = previous_rights
 	return flag
--- a/code/modules/admin/holder2.dm
+++ b/code/modules/admin/holder2.dm
@@ -28,6 +28,11 @@ GLOBAL_PROTECT(href_token)

 	var/deadmined

+/datum/admins/CanProcCall(procname)
+	. = ..()
+	if(!check_rights(R_SENSITIVE))
+		return FALSE
+
 /datum/admins/New(datum/admin_rank/R, ckey, force_active = FALSE, protected)
 	if(IsAdminAdvancedProcCall())
 		var/msg = " has tried to elevate permissions!"
--- a/code/modules/admin/sql_message_system.dm
+++ b/code/modules/admin/sql_message_system.dm
@@ -299,6 +299,8 @@
 	qdel(query_find_message_secret)

 /proc/browse_messages(type, target_ckey, index, linkless = FALSE, filter, agegate = FALSE)
+	if(!check_rights(R_SENSITIVE))
+		return
 	if(!SSdbcore.Connect())
 		to_chat(usr, "<span class='danger'>Failed to establish database connection.</span>")
 		return
--- a/code/modules/admin/verbs/getlogs.dm
+++ b/code/modules/admin/verbs/getlogs.dm
@@ -14,6 +14,8 @@
 	browseserverlogs("[GLOB.log_directory]/")

 /client/proc/browseserverlogs(path = "data/logs/")
+	if(!check_rights(R_SENSITIVE))
+		return
 	path = browse_files(path)
 	if(!path)
 		return
--- a/code/modules/client/client_procs.dm
+++ b/code/modules/client/client_procs.dm
@@ -917,8 +917,22 @@ GLOBAL_LIST_INIT(blacklisted_builds, list(
 		if(NAMEOF(src, view))
 			change_view(var_value)
 			return TRUE
+		if(NAMEOF(src, computer_id))
+			return FALSE
+		if(NAMEOF(src, address))
+			return FALSE
 	. = ..()

+/client/vv_get_var(var_name)
+	. = ..()
+	switch(var_name)
+		if(NAMEOF(src, computer_id))
+			if(!check_rights(R_SENSITIVE, FALSE))
+				return "SENSITIVE"
+		if(NAMEOF(src, address))
+			if(!check_rights(R_SENSITIVE, FALSE))
+				return "SENSITIVE"
+
 /client/proc/rescale_view(change, min, max)
 	var/viewscale = getviewsize(view)
 	var/x = viewscale[1]
--- a/code/modules/mob/mob.dm
+++ b/code/modules/mob/mob.dm
@@ -991,6 +991,12 @@ GLOBAL_VAR_INIT(exploit_warn_spam_prevention, 0)
 	switch(var_name)
 		if("logging")
 			return debug_variable(var_name, logging, 0, src, FALSE)
+		if(NAMEOF(src, lastKnownIP))
+			if(!check_rights(R_SENSITIVE, FALSE))
+				return "SENSITIVE"
+		if(NAMEOF(src, computer_id))
+			if(!check_rights(R_SENSITIVE, FALSE))
+				return "SENSITIVE"
 	. = ..()

 /mob/vv_auto_rename(new_name)
--- a/code/modules/power/singularity/investigate.dm
+++ b/code/modules/power/singularity/investigate.dm
@@ -1,4 +1,4 @@
 /area/engine/engineering/poweralert(state, source)
 	if (state != poweralm)
 		investigate_log("has a power alarm!", INVESTIGATE_SINGULO)
-	..()
+	..()
--- a/config/admin_ranks.txt
+++ b/config/admin_ranks.txt
@@ -30,6 +30,7 @@
 # +SPAWN (or +CREATE) = mob transformations, spawning of most atoms including mobs (high-risk atoms, e.g. blackholes, will require the +FUN flag too)
 # +AUTOLOGIN = admin gains powers upon connect. This defaults to on, you can use -AUTOLOGIN to make a role require using the readmin verb to gain powers. (this does not effect the admin's ability to walk past bans or other on-connect limitations like panic bunker or pop limit.)
 # +DBRANKS = when sql-based admin loading is enabled, allows for non-temporary changes in the permissions panel to be saved (requires DB)
+# +SENSITIVE = Defaults to on, use - to remove it. Allows reading IPs, CIDs, grabbing logs, and proccalls to certain things like admin holders/clients/subsystems considered "sensitive".
 # +EVERYTHING (or +HOST or +ALL) = Simply gives you everything without having to type every flag
 # END_KEYWORDS