Jump to content
  • 0

Script access and security


shrike

Question

Hello

I have been learning to code in lua for the past few months. I have read through most of the server and scripting posts and have found lots of help in solving scripting problems.

However, I recently ran into a problem accessing certain functions, like kickPlayer. I have modified the admin acl, adding permissions for each function, and I am a member of the admin group. My script is admin use only, and most functions are wrapped in “hasObjectPermissionTo” if statements, which default to false if the permission is not explicitly granted. Although I can kick from the server control panel and the chatwindow, whenever I tried to access function.kickPlayer, I would get an “access denied” error from the server.

In a recent post someone suggested adding the script resource into the admin group, which would grant the script permission to use kickPlayer and other functions. It worked but I have a few questions:

1. Is adding my script to the admin group a secure and appropriate way to resolve the problem, or is there a better way?

2. Is it a good idea to add a large collection of permissions to the admin group, or should I move all these permissions to a custom list instead?

3. As well as granting these permissions in the admin group, I’ve denied them in all other acl’s. Is setting these functions to false in the other acl’s unnecessary overkill?

4. I use a gui to control the script and while testing noticed that I could access the gui before logging into the server. I’d like the gui to be inaccessible until I’m logged in, as the admin panel is but I can’t figure out how to do this. Any suggestions?

If anyone can suggest where I can find a comprehensive write up on acl’s that would be great. It would be even better if it’s MTASA specific.

Thanks and any help with the above would be appreciated.

Link to comment

2 answers to this question

Recommended Posts

  • 0

1. Thats just fine. If your resource needs access to some administrative functions such as kickPlayer then this is the way to go.

2. If you're dealing with a lot of custom permissions it's also advisable to make a custom list to keep things clean.

3. Denying a permission only in the "Default" acl group is enough since every object is part of it at first.

4. Just check "if isGuestAccount ( getPlayerAccount ( player ) ) == false" as otherwise the player would have a registered account which means he's logged in.

https://wiki.multitheftauto.com/wiki/Access_Control_List

Link to comment
  • 0

Thanks for replying so quickly and for answering all of my questions, Mr.Hankey.

I looked throught the function lists several times but somehow missed the "isGuestAccount" option. I'll add the check and try it out.

I am going with the custom list. It should shrink the acl substantially and will make acl management much simpler.

Writing most of the code was more of a lua learning exercise. Now comes the tough part, coming up with a idea for a gamemode. After seeing what some of the other forum users have come up with, I'll have to get much better at lua as well.

Again, your help is much appreciated.

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...