Merge pull request #14247 from timothyteakettle/another-dumb-href-exploit

[s] stops you purging sec records without being logged in
This commit is contained in:
Lin
2021-02-14 17:05:43 -06:00
committed by GitHub
+2
View File
@@ -264,6 +264,8 @@ What a mess.*/
active1 = null
if(!( GLOB.data_core.security.Find(active2) ))
active2 = null
if(!authenticated && href_list["choice"] != "Log In") // logging in is the only action you can do if not logged in
return
if(usr.contents.Find(src) || (in_range(src, usr) && isturf(loc)) || hasSiliconAccessInArea(usr) || IsAdminGhost(usr))
usr.set_machine(src)
switch(href_list["choice"])