Fixes the permissions exploit.

2025-12-09 16:14:13 +00:00 · 2015-10-19 20:41:03 +02:00
parent e19698ae80
commit 0243d39c1c
2 changed files with 18 additions and 4 deletions
--- a/code/modules/admin/admin.dm
+++ b/code/modules/admin/admin.dm
@@ -22,6 +22,10 @@ var/global/floorIsLava = 0
 				var/msg = rendered
 				C << msg

+// Not happening.
+// Yes I could do a +PERMISSIONS check but I'm both too lazy and worried admins might do it on accident.
+/datum/admins/SDQL_update(var/const/var_name, var/new_value)
+	return 0

 ///////////////////////////////////////////////////////////////////////////////////////////////Panels

--- a/code/modules/admin/verbs/SDQL_2/SDQL_2.dm
+++ b/code/modules/admin/verbs/SDQL_2/SDQL_2.dm
@@ -16,6 +16,17 @@
 	--Lists can be done through [], so say UPDATE /mob SET client.color = [1, 0.75, ...].
 */

+// Used by update statements, this is to handle shit like preventing editing the /datum/admins though SDQL but WITHOUT +PERMISSIONS.
+// Assumes the variable actually exists.
+/datum/proc/SDQL_update(var/const/var_name, var/new_value)
+	vars[var_name] = new_value
+	return 1
+
+// Because /client isn't a subtype of /datum...
+/client/proc/SDQL_update(var/const/var_name, var/new_value)
+	vars[var_name] = new_value
+	return 1
+	
 /client/proc/SDQL2_query(var/query_text as message)
 	set category = "Debug"

@@ -129,15 +140,14 @@
 						var/datum/temp = d
 						var/i = 0
 						for(var/v in sets)
-							i++
-							if(i == sets.len)
+							if(++i == sets.len)
 								if(istype(temp, /turf) && (v == "x" || v == "y" || v == "z"))
 									break

-								temp.vars[v] = SDQL_expression(d, set_list[sets])
+								temp.SDQL_update(v, SDQL_expression(d, set_list[sets]))
 								break

-							if(v in temp.vars.Find(v) && (istype(temp.vars[v], /datum) || istype(temp.vars[v], /client)))
+							if(temp.vars.Find(v) && (istype(temp.vars[v], /datum) || istype(temp.vars[v], /client)))
 								temp = temp.vars[v]

 							else