Merge pull request #14247 from timothyteakettle/another-dumb-href-exploit
[s] stops you purging sec records without being logged in
This commit is contained in:
@@ -264,6 +264,8 @@ What a mess.*/
|
||||
active1 = null
|
||||
if(!( GLOB.data_core.security.Find(active2) ))
|
||||
active2 = null
|
||||
if(!authenticated && href_list["choice"] != "Log In") // logging in is the only action you can do if not logged in
|
||||
return
|
||||
if(usr.contents.Find(src) || (in_range(src, usr) && isturf(loc)) || hasSiliconAccessInArea(usr) || IsAdminGhost(usr))
|
||||
usr.set_machine(src)
|
||||
switch(href_list["choice"])
|
||||
|
||||
Reference in New Issue
Block a user