From 0243d39c1cd337fdbf5f023ec6f88b2c9f1a39e0 Mon Sep 17 00:00:00 2001
From: PJB3005 <pieterjan.briers@gmail.com>
Date: Mon, 19 Oct 2015 20:41:03 +0200
Subject: [PATCH] Fixes the permissions exploit.

---
 code/modules/admin/admin.dm               |  4 ++++
 code/modules/admin/verbs/SDQL_2/SDQL_2.dm | 18 ++++++++++++++----
 2 files changed, 18 insertions(+), 4 deletions(-)

diff --git a/code/modules/admin/admin.dm b/code/modules/admin/admin.dm
index 9a34e3eb638..19cb6bede59 100644
--- a/code/modules/admin/admin.dm
+++ b/code/modules/admin/admin.dm
@@ -22,6 +22,10 @@ var/global/floorIsLava = 0
 				var/msg = rendered
 				C << msg
 
+// Not happening.
+// Yes I could do a +PERMISSIONS check but I'm both too lazy and worried admins might do it on accident.
+/datum/admins/SDQL_update(var/const/var_name, var/new_value)
+	return 0
 
 ///////////////////////////////////////////////////////////////////////////////////////////////Panels
 
diff --git a/code/modules/admin/verbs/SDQL_2/SDQL_2.dm b/code/modules/admin/verbs/SDQL_2/SDQL_2.dm
index dfbbef47d68..6786d4903f9 100644
--- a/code/modules/admin/verbs/SDQL_2/SDQL_2.dm
+++ b/code/modules/admin/verbs/SDQL_2/SDQL_2.dm
@@ -16,6 +16,17 @@
 	--Lists can be done through [], so say UPDATE /mob SET client.color = [1, 0.75, ...].
 */
 
+// Used by update statements, this is to handle shit like preventing editing the /datum/admins though SDQL but WITHOUT +PERMISSIONS.
+// Assumes the variable actually exists.
+/datum/proc/SDQL_update(var/const/var_name, var/new_value)
+	vars[var_name] = new_value
+	return 1
+
+// Because /client isn't a subtype of /datum...
+/client/proc/SDQL_update(var/const/var_name, var/new_value)
+	vars[var_name] = new_value
+	return 1
+	
 /client/proc/SDQL2_query(var/query_text as message)
 	set category = "Debug"
 
@@ -129,15 +140,14 @@
 						var/datum/temp = d
 						var/i = 0
 						for(var/v in sets)
-							i++
-							if(i == sets.len)
+							if(++i == sets.len)
 								if(istype(temp, /turf) && (v == "x" || v == "y" || v == "z"))
 									break
 
-								temp.vars[v] = SDQL_expression(d, set_list[sets])
+								temp.SDQL_update(v, SDQL_expression(d, set_list[sets]))
 								break
 
-							if(v in temp.vars.Find(v) && (istype(temp.vars[v], /datum) || istype(temp.vars[v], /client)))
+							if(temp.vars.Find(v) && (istype(temp.vars[v], /datum) || istype(temp.vars[v], /client)))
 								temp = temp.vars[v]
 
 							else