- Removed config option RBAC.DefaultGroups
Use the table rbac_security_level_groups to configure the groups to be added to the account at load time.
Note: Those groups are only used at run time, never saved to DB
Fix memory leak in command line handler on platforms other than Windows. The result of readline() is supposed to be freed with free() as described at http://cnswww.cns.cwru.edu/php/chet/readline/readline.html#SEC24 .
Valgrind log:
11 bytes in 2 blocks are definitely lost in loss record 6 of 61
at 0x4C28BED: malloc (vg_replace_malloc.c:263)
by 0x4E5F6E8: xmalloc (in /lib/x86_64-linux-gnu/libreadline.so.6.2)
by 0x4E4571A: readline_internal_teardown (in /lib/x86_64-linux-gnu/libreadline.so.6.2)
by 0x4E46541: readline (in /lib/x86_64-linux-gnu/libreadline.so.6.2)
by 0x1005284: CliRunnable::run() (CliRunnable.cpp:161)
by 0x163A3DA: ACE_Based::Thread::ThreadTask(void*) (Threading.cpp:186)
by 0x518C555: ACE_OS_Thread_Adapter::invoke() (OS_Thread_Adapter.cpp:103)
by 0x61D7B4F: start_thread (pthread_create.c:304)
by 0x6C66A7C: clone (clone.S:112)
Settings within worldserver.conf:
Three settings for secruity level:
0 - None - No change to current system
1 - Email - Always requires the email entered on registration for confirming.
2 - RBAC - Groups applied with the RBAC role always require the email entered on registration for confirming.
RBAC default to every group. Changed some logs to make it more clear what is going on at all.
Emails may now no longer exceed 64 chars. Current email is used as regmail.
On account creation, two emails are saved. Registration email and normal email. Normal email is relevant afterwards. Registration email can be changed by console ONLY.
Includes new commands and changes to existing ones:
.account fulfills several new functions:
* Still prints GM Level.
* If account has permission, it displays the current email. This is not defaulted to any group.
* Security level is displayed. Also displays if user has RBAC perm if RBAC security mode is selected
.account email allows user to change email with sufficient confirmation
.account set sec email allows higher sec with higher sec than account to change the normal email. Registrationemail remains untouched here.
.account set sec regmail allows console to change registration email.
.pinfo now displays the registration and normal mail.
Also fixes .learn all crafts.
Closes#10558
Fix race condition by replacing a static volatile uint32 with proper atomic thread-safe ACE_Atomic_Op<ACE_Thread_Mutex, uint32>, incremented in WorldRunnable::run() at each world loop and read in FreezeDetectorRunnable::run().
Helgrind log:
Possible data race during read of size 4 at 0x2400D54 by thread #12
Locks held: none
at 0x100FEA6: FreezeDetectorRunnable::run() (Master.cpp:106)
by 0x1637892: ACE_Based::Thread::ThreadTask(void*) (Threading.cpp:186)
by 0x518F555: ACE_OS_Thread_Adapter::invoke() (OS_Thread_Adapter.cpp:103)
by 0x4C2B5AD: mythread_wrapper (hg_intercepts.c:219)
by 0x61DAB4F: start_thread (pthread_create.c:304)
by 0x6C69A7C: clone (clone.S:112)
This conflicts with a previous write of size 4 by thread #9
Locks held: none
at 0x100C23E: WorldRunnable::run() (WorldRunnable.cpp:55)
by 0x1637892: ACE_Based::Thread::ThreadTask(void*) (Threading.cpp:186)
by 0x518F555: ACE_OS_Thread_Adapter::invoke() (OS_Thread_Adapter.cpp:103)
by 0x4C2B5AD: mythread_wrapper (hg_intercepts.c:219)
by 0x61DAB4F: start_thread (pthread_create.c:304)
by 0x6C69A7C: clone (clone.S:112)
Currently regulates the usage of CMSG_CHAR_ENUM only, but can be easily
extended to detect inappropriate network behaviour by using
AntiDOS.AllowOpcode in WorldSession's handlers.
On Linux, superuser (root) is required to set a process high priority and we shouldn't force that.
(It's already set to 0 (Normal) in worldserver\Master.cpp and authserver\Main.cpp)
Tested with:
- Windows 8 x64
- MySQL 5.5.30 win32
- OpenSSL 1.0.1c (32 bits)
- No PCH
- MinGW with GCC 4.7.0
TODO:
- Fix compile/link with PCH enabled
- Fix compile with WheatyExceptonionReport enabled (ignored for now)
- Fix compile of .rc files (ignored for now)
- Test with more platforms
- Remove config options: CONFIG_ALLOW_TWO_SIDE_INTERACTION_CHAT, CONFIG_ALLOW_TWO_SIDE_INTERACTION_MAIL, CONFIG_GM_LOG_TRADE, CONFIG_ALLOW_TWO_SIDE_ACCOUNTS, CONFIG_ALLOW_TWO_SIDE_WHO_LIST, CONFIG_ALLOW_GM_FRIEND, CONFIG_ALLOW_TWO_SIDE_ADD_FRIEND, CONFIG_SILENTLY_GM_JOIN_TO_CHANNEL
- Fix RBAC_PERM_SKIP_CHECK_CHAT_SPAM (Was checking spam for those that had the permission)
- Only check RBAC_PERM_TWO_SIDE_INTERACTION_CHAT for sender of whispers (Restores GM being able to whisper players)
- Only check RBAC_PERM_TWO_SIDE_INTERACTION_MAIL for sender
- Fix .ticket assign <Player>, with last RBAC change it was changed by mistake from Player to Account
* Removed long deprecated code for mining nodes (multiple uses, artifact of TBC)
* Made fishing pools generate use count only on spawn (and respawn) instead of randomizing use count on every fishing attempt - prevents early despawning in some cases
Caused when RASocket::handle_close (event-driven) would delete the underlying object before RASocket::commandFinished callback was executed for that object. Dereferencing freed pointers is bad.
Fixes RASocket::authenticate crash
"MSG_NOSIGNAL:
If you send() to a remote host which is no longer recv()ing, you'll typically get the signal SIGPIPE. Adding this flag prevents that signal from being raised."
Closes#5040
Thanks to @derex for the hint
- This system will give more control of actions an account can perform.
System defines:
- Permissions to perform some action
- Roles: a set of permissions that have some relation
- Groups: a set of roles that have some relation
Operations:
- Grant: Assign and allow
- Deny: Assign and do not allow
- Revoke: Remove
Precedence to know if something can be done: Grant, Deny. That means, if you are granted some action by a role but you have denied the permission, the action can not be done.
Some Rules:
- Groups can only have roles
- Roles can only have permissions
- An account can be assigned granted and denied roles. Permissions inherited from roles are granted if roles is granted and denied if roles is denied
- An account can be assigned granted and denied permissions
- An account can have multiple groups, roles and permissions
- An account can not have same role granted and denied at same time
- An acconnt can not have same permission granted and denied at same time
- Id 0 can not be used to define a group, role or permission
Added some permissions as a sample of use (Instant Logout, Skip Queue, Join BGs, Join DF) and some permissions as a workaround to commands till command system is modified to use RBAC
Example: [13] Westfall Stew
Default = 0 (off). Make sure to set UI.ShowQuestLevelsInDialogs to 1 to turn it on
NOTES:
* DO NOT supply the quest level when using commands such as .lookup quest, it
is not actually part of the title (even though it will be printed in the result)
* Also adds the level in the quest tracker and quest log
* If locale is used, the level is added after the proper title is looked up
* LUA Mods that offer this feature do not work properly with TC, most will not put the level in all dialogs. Users who have such mods should disable the mod's feature or they may see the quest level listed twice.
Example: [13][13] Westfall Stew
