Fix withdraw/deposit exploit

Closes #8
TownyAdvanced · Dec 18, 2022 · 21782dc · 21782dc
1 parent fe4351a
commit 21782dc
Show file tree

Hide file tree

Showing 4 changed files with 63 additions and 30 deletions.
diff --git a/gradle.properties b/gradle.properties
@@ -1,4 +1,4 @@
 group = io.github.townyadvanced
-version = 0.0.4-SNAPSHOT
+version = 0.0.4
 
 townyVersion = 0.98.3.10
diff --git a/src/main/java/io/github/townyadvanced/townymenus/menu/ResidentMenu.java b/src/main/java/io/github/townyadvanced/townymenus/menu/ResidentMenu.java
@@ -156,36 +156,43 @@ public static List<MenuItem> formatFriendsView(@NotNull Player player) {
     }
 
     private static MenuInventory formatResidentFriends(Player player) {
-        return MenuInventory.paginator()
+        final MenuInventory.PaginatorBuilder builder = MenuInventory.paginator()
                 .title(Component.text("Resident Friends"))
-                .addItems(formatFriendsView(player))
-                .addExtraItem(MenuItem.builder(Material.WRITABLE_BOOK)
-                        .name(Component.text("Add Friend", NamedTextColor.GREEN))
-                        .lore(Component.text("Click here to add a player as a friend.", NamedTextColor.GRAY))
-                        .slot(SlotAnchor.anchor(VerticalAnchor.fromBottom(0), HorizontalAnchor.fromLeft(1)))
-                        .action(ClickAction.userInput("Enter player name.", name -> {
-                            Resident resident = TownyAPI.getInstance().getResident(player);
-                            if (resident == null)
-                                return AnvilGUI.Response.text("You are not registered.");
+                .addItems(formatFriendsView(player));
 
-                            Resident friend = TownyAPI.getInstance().getResident(name);
-                            if (friend == null || friend.isNPC() || friend.getUUID().equals(resident.getUUID()))
-                                return AnvilGUI.Response.text("Not a valid resident.");
+        if (player.hasPermission(PermissionNodes.TOWNY_COMMAND_RESIDENT_FRIEND.getNode())) {
+            builder.addExtraItem(MenuItem.builder(Material.WRITABLE_BOOK)
+                    .name(Component.text("Add Friend", NamedTextColor.GREEN))
+                    .lore(Component.text("Click here to add a player as a friend.", NamedTextColor.GRAY))
+                    .slot(SlotAnchor.anchor(VerticalAnchor.fromBottom(0), HorizontalAnchor.fromLeft(1)))
+                    .action(ClickAction.userInput("Enter player name.", name -> {
+                        if (!player.hasPermission(PermissionNodes.TOWNY_COMMAND_RESIDENT_FRIEND.getNode()))
+                            return AnvilGUI.Response.close();
 
-                            if (resident.hasFriend(friend))
-                                return AnvilGUI.Response.text(friend.getName() + " is already your friend!");
+                        Resident resident = TownyAPI.getInstance().getResident(player);
+                        if (resident == null)
+                            return AnvilGUI.Response.text("You are not registered.");
 
-                            List<Resident> friends = new ArrayList<>();
-                            friends.add(friend);
+                        Resident friend = TownyAPI.getInstance().getResident(name);
+                        if (friend == null || friend.isNPC() || friend.getUUID().equals(resident.getUUID()))
+                            return AnvilGUI.Response.text("Not a valid resident.");
 
-                            ResidentCommand.residentFriendAdd(player, resident, friends);
-                            TownyMenus.logger().info(player.getName() + " has added " + friend.getName() + " as a friend.");
+                        if (resident.hasFriend(friend))
+                            return AnvilGUI.Response.text(friend.getName() + " is already your friend!");
 
-                            // Re-open resident friends menu
-                            MenuHistory.reOpen(player, () -> formatResidentFriends(player));
-                            return AnvilGUI.Response.text("");
-                        }))
-                        .build())
-                .build();
+                        List<Resident> friends = new ArrayList<>();
+                        friends.add(friend);
+
+                        ResidentCommand.residentFriendAdd(player, resident, friends);
+                        TownyMenus.logger().info(player.getName() + " has added " + friend.getName() + " as a friend.");
+
+                        // Re-open resident friends menu
+                        MenuHistory.reOpen(player, () -> formatResidentFriends(player));
+                        return AnvilGUI.Response.text("");
+                    }))
+                    .build());
+        }
+
+        return builder.build();
     }
 }
diff --git a/src/main/java/io/github/townyadvanced/townymenus/menu/helper/GovernmentMenus.java b/src/main/java/io/github/townyadvanced/townymenus/menu/helper/GovernmentMenus.java
@@ -11,6 +11,7 @@
 import com.palmergames.bukkit.towny.object.Government;
 import com.palmergames.bukkit.towny.object.Nation;
 import com.palmergames.bukkit.towny.object.Town;
+import com.palmergames.bukkit.towny.permissions.PermissionNodes;
 import com.palmergames.util.MathUtil;
 import io.github.townyadvanced.townymenus.gui.MenuHelper;
 import io.github.townyadvanced.townymenus.gui.MenuHistory;
@@ -69,21 +70,39 @@ else if (playerGovernment instanceof Nation nation)
     }
 
     public static MenuInventory createDepositWithdrawMenu(final Player player, final Government government) {
+        if (!governmentExists(government))
+            return MenuInventory.builder().rows(1)
+                    .addItem(MenuHelper.backButton().build())
+                    .addItem(MenuItem.builder(Material.BARRIER).name(Component.text("Invalid Government", NamedTextColor.GREEN)).build())
+                    .build();
+
+        final PermissionNodes root = government instanceof Town ? PermissionNodes.TOWNY_COMMAND_TOWN : PermissionNodes.TOWNY_COMMAND_NATION;
+
         return MenuInventory.builder()
                 .title(Component.text("Deposit or Withdraw"))
                 .rows(3)
                 .addItem(MenuHelper.backButton().build())
                 .addItem(MenuItem.builder(Material.EMERALD)
                         .name(Component.text("Deposit", NamedTextColor.GREEN))
                         .slot(SlotAnchor.anchor(VerticalAnchor.fromTop(1), HorizontalAnchor.fromLeft(2)))
-                        .lore(Component.text("Click to deposit into the bank.", NamedTextColor.GRAY))
-                        .action(depositOrWithdraw(player, government, false))
+                        .lore(() -> {
+                            if (!player.hasPermission(root.getNode("deposit")))
+                                return Component.text("You do not have permission to deposit into the bank.", NamedTextColor.GRAY);
+                            else
+                                return Component.text("Click to deposit into the bank.", NamedTextColor.GRAY);
+                        })
+                        .action(!player.hasPermission(root.getNode("deposit")) ? ClickAction.NONE : depositOrWithdraw(player, government, false))
                         .build())
                 .addItem(MenuItem.builder(Material.REDSTONE)
                         .name(Component.text("Withdraw", NamedTextColor.GREEN))
                         .slot(SlotAnchor.anchor(VerticalAnchor.fromTop(1), HorizontalAnchor.fromRight(2)))
-                        .lore(Component.text("Click to withdraw from the bank.", NamedTextColor.GRAY))
-                        .action(depositOrWithdraw(player, government, true))
+                        .lore(() -> {
+                            if (!player.hasPermission(root.getNode("withdraw")))
+                                return Component.text("You do not have permission to withdraw from the bank.", NamedTextColor.GRAY);
+                            else
+                                return Component.text("Click to withdraw from the bank.", NamedTextColor.GRAY);
+                        })
+                        .action(!player.hasPermission(root.getNode("withdraw")) ? ClickAction.NONE : depositOrWithdraw(player, government, true))
                         .build())
                 .build();
     }
@@ -97,6 +116,9 @@ private static UserInputAction depositOrWithdraw(final Player player, final Gove
             }
 
             boolean town = government instanceof Town;
+            if (!player.hasPermission(town ? PermissionNodes.TOWNY_COMMAND_TOWN_DEPOSIT.getNode() : PermissionNodes.TOWNY_COMMAND_NATION_DEPOSIT.getNode()))
+                return AnvilGUI.Response.close();
+
             Class<?> clazz = town ? TownCommand.class : NationCommand.class;
 
             try {

diff --git a/src/main/resources/Changelog.txt b/src/main/resources/Changelog.txt
@@ -19,3 +19,7 @@
   - Moved transaction history & deposit/withdraw buttons to the bank menus
 0.0.3:
   - Updated AnvilGUI version to 1.6.0-SNAPSHOT for proper 1.19.3 support.
+0.0.4:
+  - Fix withdraw/deposits not doing permission tests.
+    - Closes #8
+  - Add missing permission node test for adding a resident as a friend.