[BUG] Non-OP players bypass the Quickshop lock

zirran commented 1 month ago

Description

I used the plugin for the leaves side, and then a player with non-OP permissions bypassed the QuickShop permission group (I had set "quickshop.other.open" to "false" with LP and the player was in the permission group) and took the items in the store.

Steps to reproduce

Set up permission groups
Turn off the player's "quickshop.other.open" permission
Remove the player's OP permission
The player tries to open the store's chest
The player successfully opens and picks up the item

Expected Behaviour

Block the player and prevent him from opening it

Screenshots

ff72cb1231b820056056abb0bef01a3d

https://github.com/user-attachments/assets/17052170-1b4b-4874-9ce1-2eead29056f2

`/quickshop paste` URL

https://ghost-chu.github.io/quickshop-hikari-paste-viewer/?remote=https%3A%2F%2Fbytebin.lucko.me%2FVlF67CuakR

Additional Context

No response

Checklist

[X] I'm running Paper or Spigot, and not a fork
[X] I confirm that Paper/Spigot has been updated to the latest build
[X] I confirm that QuickShop-Hikari has been updated to the latest stable version released on Modrinth (or the latest CI version)
[ ] I confirm that I have not read these checkboxes and therefore I just ticked them all.
[X] I confirm that I'm using QuickShop-Hikari, not QuickShop-Reremake, and I'm well aware that they're maintained by different people, and that Reremake issues shouldn't be reported here.
[X] I confirm that I am running a server that is not a Hybird Server, (e.g. Mohist, Magma, CatServer, Banner, etc.), and I am aware that QuickShop-Hikari may not function properly on a Forge/Fabric hybrid server, and I am running at my own risk on such a server program, and I am aware that the I run such server-side programs at my own risk and know that I will not receive any support or help for this behavior.
[X] I am well aware that if the Issue Ticket is not filled out correctly and completely, it will simply be closed without any response or reason.

YuanYuanOwO commented 1 month ago

remove all quickshop related permissions from player group.

quickshop.player is all you need.

YuanYuanOwO commented 1 month ago

I've closed the issue for now, the test result may be a conflict with residence, further testing is needed. The solution is to change SNEAKING_RIGHT_CLICK_SIGN in interaction.yml.

I'll open a new issue if there are any new developments

QuickShop-Community / QuickShop-Hikari