search

evaera / RoVer

This repo is RoVer V1, which is now deprecated and will no longer work. Get Rover V2 now: https://rover.link
https://rover.link
Apache License 2.0
145 stars 201 forks source link

People able to bypass server auth settings #249

Closed Blackcatmaxy closed 2 years ago

Blackcatmaxy commented 4 years ago

By joining a discord server and then verifying your account, it automatically gives you the verified role without making you send a server message or reaction.

Auth settings like "2FA required" stop you from sending messages or reacting in a server until you either meet the requirement or are given a role.

Many servers need these settings in order to stop raids, but are made useless by auto giving of roles

autonordev commented 4 years ago

For Discord's default 'security options the only real solution for this would be to have a (preferably disabled by default) setting which requires users to manually run !verify.

For other discord bots (e.g. you must agree to rules to chat) you can easily have this work on top of RoVer with permissions.

PhoenixShay commented 4 years ago

https://discord.js.org/#/docs/main/master/class/Guild?scrollTo=mfaLevel could be utilized to automatically determine if we should disable auto verifications.

Blackcatmaxy commented 4 years ago

For Discord's default 'security options the only real solution for this would be to have a (preferably disabled by default) setting which requires users to manually run !verify.

For other discord bots (e.g. you must agree to rules to chat) you can easily have this work on top of RoVer with permissions.

Once someone has a role given to them, they are seen as have fulfilled the auth setting

autonordev commented 4 years ago

For Discord's default 'security options the only real solution for this would be to have a (preferably disabled by default) setting which requires users to manually run !verify. For other discord bots (e.g. you must agree to rules to chat) you can easily have this work on top of RoVer with permissions.

Once someone has a role given to them, they are seen as have fulfilled the auth setting

That’s what I said. If your using Discord’s system, auto verification would need to be disabled. If you aren’t using Discord’s system and a custom one, you’d have to do it through permissions.

SUPERCHIEFYT commented 4 years ago

Well you can technically disable the member-join auto verification if you have joinDM disabled, due to this line of code: https://github.com/evaera/RoVer/blob/master/src/DiscordBot.js#L228 if the joinDM is set to false it doesn't try to verify the user once they join the server. Unsure if that is intentional or a bug in the code at the moment. 🤷‍♀️

PhoenixShay commented 4 years ago

Unsure if that is intentional or a bug in the code at the moment. 🤷‍♀️

that was a bit of an oversight