From 8e83dcd697acb5f8654bee7b239751aca89c72b1 Mon Sep 17 00:00:00 2001
From: silicons <2003111+silicons@users.noreply.github.com>
Date: Wed, 7 Oct 2020 14:43:53 -0700
Subject: [PATCH] event permissions

---
 code/__DEFINES/admin.dm                       |  3 ++-
 code/__HELPERS/type2type.dm                   |  2 ++
 code/_globalvars/bitfields.dm                 |  3 ++-
 code/modules/admin/admin_ranks.dm             |  7 +++++++
 code/modules/admin/holder2.dm                 |  5 +++++
 code/modules/admin/sql_message_system.dm      |  2 ++
 code/modules/admin/verbs/getlogs.dm           |  2 ++
 code/modules/client/client_procs.dm           | 14 ++++++++++++++
 code/modules/mob/mob.dm                       |  6 ++++++
 code/modules/power/singularity/investigate.dm |  2 +-
 config/admin_ranks.txt                        |  1 +
 11 files changed, 44 insertions(+), 3 deletions(-)

diff --git a/code/__DEFINES/admin.dm b/code/__DEFINES/admin.dm
index 97f07acc05..143063b4e9 100644
--- a/code/__DEFINES/admin.dm
+++ b/code/__DEFINES/admin.dm
@@ -35,8 +35,9 @@
 #define R_SPAWN			(1<<12)
 #define R_AUTOLOGIN		(1<<13)
 #define R_DBRANKS		(1<<14)
+#define R_SENSITIVE		(1<<15)
 
-#define R_DEFAULT R_AUTOLOGIN
+#define R_DEFAULT R_AUTOLOGIN | R_SENSITIVE
 
 #define R_EVERYTHING ALL //the sum of all other rank permissions, used for +EVERYTHING
 
diff --git a/code/__HELPERS/type2type.dm b/code/__HELPERS/type2type.dm
index bbbf99c9de..0987e95dc9 100644
--- a/code/__HELPERS/type2type.dm
+++ b/code/__HELPERS/type2type.dm
@@ -225,6 +225,8 @@
 		. += "[seperator]AUTOLOGIN"
 	if(rights & R_DBRANKS)
 		. += "[seperator]DBRANKS"
+	if(rights & R_SENSITIVE)
+		. += "[seperator]SENSITIVE"
 	if(!.)
 		. = "NONE"
 	return .
diff --git a/code/_globalvars/bitfields.dm b/code/_globalvars/bitfields.dm
index 85f5e4fd9b..276718c0c2 100644
--- a/code/_globalvars/bitfields.dm
+++ b/code/_globalvars/bitfields.dm
@@ -67,7 +67,8 @@ GLOBAL_LIST_INIT(bitfields, list(
 		"SOUNDS" = R_SOUNDS,
 		"SPAWN" = R_SPAWN,
 		"AUTOLOGIN" = R_AUTOLOGIN,
-		"DBRANKS" = R_DBRANKS
+		"DBRANKS" = R_DBRANKS,
+		"SENSITIVE" = R_SENSITIVE
 		),
 	"interaction_flags_atom" = list(
 		"INTERACT_ATOM_REQUIRES_ANCHORED" = INTERACT_ATOM_REQUIRES_ANCHORED,
diff --git a/code/modules/admin/admin_ranks.dm b/code/modules/admin/admin_ranks.dm
index ef4abeb0ad..39053b8e15 100644
--- a/code/modules/admin/admin_ranks.dm
+++ b/code/modules/admin/admin_ranks.dm
@@ -44,6 +44,11 @@ GLOBAL_PROTECT(protected_ranks)
 /datum/admin_rank/vv_edit_var(var_name, var_value)
 	return FALSE
 
+/datum/admin_rank/CanProcCall(procname)
+	. = ..()
+	if(!check_rights(R_SENSITIVE))
+		return FALSE
+
 /proc/admin_keyword_to_flag(word, previous_rights=0)
 	var/flag = 0
 	switch(ckey(word))
@@ -79,6 +84,8 @@ GLOBAL_PROTECT(protected_ranks)
 			flag = R_AUTOLOGIN
 		if("dbranks")
 			flag = R_DBRANKS
+		if("sensitive")
+			flag = R_SENSITIVE
 		if("@","prev")
 			flag = previous_rights
 	return flag
diff --git a/code/modules/admin/holder2.dm b/code/modules/admin/holder2.dm
index 09f9664295..03878268d2 100644
--- a/code/modules/admin/holder2.dm
+++ b/code/modules/admin/holder2.dm
@@ -28,6 +28,11 @@ GLOBAL_PROTECT(href_token)
 
 	var/deadmined
 
+/datum/admins/CanProcCall(procname)
+	. = ..()
+	if(!check_rights(R_SENSITIVE))
+		return FALSE
+
 /datum/admins/New(datum/admin_rank/R, ckey, force_active = FALSE, protected)
 	if(IsAdminAdvancedProcCall())
 		var/msg = " has tried to elevate permissions!"
diff --git a/code/modules/admin/sql_message_system.dm b/code/modules/admin/sql_message_system.dm
index 356746ddbc..d8135d54c0 100644
--- a/code/modules/admin/sql_message_system.dm
+++ b/code/modules/admin/sql_message_system.dm
@@ -299,6 +299,8 @@
 	qdel(query_find_message_secret)
 
 /proc/browse_messages(type, target_ckey, index, linkless = FALSE, filter, agegate = FALSE)
+	if(!check_rights(R_SENSITIVE))
+		return
 	if(!SSdbcore.Connect())
 		to_chat(usr, "<span class='danger'>Failed to establish database connection.</span>")
 		return
diff --git a/code/modules/admin/verbs/getlogs.dm b/code/modules/admin/verbs/getlogs.dm
index 4cbb0214f7..446dbcc69a 100644
--- a/code/modules/admin/verbs/getlogs.dm
+++ b/code/modules/admin/verbs/getlogs.dm
@@ -14,6 +14,8 @@
 	browseserverlogs("[GLOB.log_directory]/")
 
 /client/proc/browseserverlogs(path = "data/logs/")
+	if(!check_rights(R_SENSITIVE))
+		return
 	path = browse_files(path)
 	if(!path)
 		return
diff --git a/code/modules/client/client_procs.dm b/code/modules/client/client_procs.dm
index 45990cd21f..332365e032 100644
--- a/code/modules/client/client_procs.dm
+++ b/code/modules/client/client_procs.dm
@@ -917,8 +917,22 @@ GLOBAL_LIST_INIT(blacklisted_builds, list(
 		if(NAMEOF(src, view))
 			change_view(var_value)
 			return TRUE
+		if(NAMEOF(src, computer_id))
+			return FALSE
+		if(NAMEOF(src, address))
+			return FALSE
 	. = ..()
 
+/client/vv_get_var(var_name)
+	. = ..()
+	switch(var_name)
+		if(NAMEOF(src, computer_id))
+			if(!check_rights(R_SENSITIVE, FALSE))
+				return "SENSITIVE"
+		if(NAMEOF(src, address))
+			if(!check_rights(R_SENSITIVE, FALSE))
+				return "SENSITIVE"
+
 /client/proc/rescale_view(change, min, max)
 	var/viewscale = getviewsize(view)
 	var/x = viewscale[1]
diff --git a/code/modules/mob/mob.dm b/code/modules/mob/mob.dm
index e1a4ac6118..256aa0ed5d 100644
--- a/code/modules/mob/mob.dm
+++ b/code/modules/mob/mob.dm
@@ -991,6 +991,12 @@ GLOBAL_VAR_INIT(exploit_warn_spam_prevention, 0)
 	switch(var_name)
 		if("logging")
 			return debug_variable(var_name, logging, 0, src, FALSE)
+		if(NAMEOF(src, lastKnownIP))
+			if(!check_rights(R_SENSITIVE, FALSE))
+				return "SENSITIVE"
+		if(NAMEOF(src, computer_id))
+			if(!check_rights(R_SENSITIVE, FALSE))
+				return "SENSITIVE"
 	. = ..()
 
 /mob/vv_auto_rename(new_name)
diff --git a/code/modules/power/singularity/investigate.dm b/code/modules/power/singularity/investigate.dm
index 3caf934b50..5db912b8d6 100644
--- a/code/modules/power/singularity/investigate.dm
+++ b/code/modules/power/singularity/investigate.dm
@@ -1,4 +1,4 @@
 /area/engine/engineering/poweralert(state, source)
 	if (state != poweralm)
 		investigate_log("has a power alarm!", INVESTIGATE_SINGULO)
-	..()
\ No newline at end of file
+	..()
diff --git a/config/admin_ranks.txt b/config/admin_ranks.txt
index fc1cb96c86..adbba1acb6 100644
--- a/config/admin_ranks.txt
+++ b/config/admin_ranks.txt
@@ -30,6 +30,7 @@
 # +SPAWN (or +CREATE) = mob transformations, spawning of most atoms including mobs (high-risk atoms, e.g. blackholes, will require the +FUN flag too)
 # +AUTOLOGIN = admin gains powers upon connect. This defaults to on, you can use -AUTOLOGIN to make a role require using the readmin verb to gain powers. (this does not effect the admin's ability to walk past bans or other on-connect limitations like panic bunker or pop limit.)
 # +DBRANKS = when sql-based admin loading is enabled, allows for non-temporary changes in the permissions panel to be saved (requires DB)
+# +SENSITIVE = Defaults to on, use - to remove it. Allows reading IPs, CIDs, grabbing logs, and proccalls to certain things like admin holders/clients/subsystems considered "sensitive".
 # +EVERYTHING (or +HOST or +ALL) = Simply gives you everything without having to type every flag
 # END_KEYWORDS