Johnny Killstone Posted November 10, 2014 Share Posted November 10, 2014 Hello, I got a small issue here, as you know ACL rights are defined as value1=true, value2=false etc. However if a right are supposed to be false do I have to keep it like value=false or can I just remove that right from the acl file, how does that effect the security? Link to comment
Bilal135 Posted November 10, 2014 Share Posted November 10, 2014 Well, if you're talking about 'true' and 'false' then let me tell you a thing. ACL rights are for resources, if the console requests them or anything else. In the script, there are two values. true and false. For example, true makes the function work done. False returns it. Do not give admin rights to a resource until you trust it 100% However, if you're using kickPlayer or banPlayer or any "admin" function, you must add resource name in admin group in ACL in order to make the function work, other wise it will give some error in the console. I can give you some example. function playerNametag(Player) setPlayerNametagShowing(Player, false) -- See (false). end addEventHandler("onPlayerJoin", root, playerNametag) If we didn't have added false, something like this. setPlayerNametagShowing(Player) It would automatically become 'true so yes, you need to define true or false. Link to comment
Johnny Killstone Posted November 10, 2014 Author Share Posted November 10, 2014 You didn't read what I wrote right?, I know how true and false works in lua but what about the ACL, let's say I have these rights for example: <right name="command.right1" access="true"></right> <right name="command.right2" access="false"></right> As you can se, right1 is true and right 2 is false and this works perfectly, this is how the rights are defined by default, but what happens if I do this? <right name="command.right1" access="true"></right> Practically this has the same effect in game, but is this secure or will it be possible to exploit in some way? if false isn't defined I suppose the result may become nil and that's not the same as false so are these two equal or is there any disadvantage I should consider? Link to comment
Anubhav Posted November 10, 2014 Share Posted November 10, 2014 I guess, it make's the command for that group if true else it doesn't allow. But you must state it in other acl groups. I saw ACL.XML and tried to get it. Link to comment
Mr_Moose Posted November 11, 2014 Share Posted November 11, 2014 From a security view it shouldn't be any difference, the point of false rather than undefined is probably a way for the server to output an error message in case of missing acl rights, for example if a resource without proper rights tries to kick a player you'll see something like "missing acl rights for group ... to perform 'function.kickplayer'". If it's undefined you have no ide which right is missing, if you're goal is to save space however you have most of the rights in default group already, all set to false, these applies to everything by default and after that new rights are loaded on top on that. So in short, you should be able to remove rights with the value 'false' from all other groups than default and only keep those who's value is 'true'. Link to comment
Johnny Killstone Posted November 15, 2014 Author Share Posted November 15, 2014 Alright, thank you guys. Link to comment
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now