[BUG] Punch style shop creation does not check for other permissions before placing a sign

TakeTheReigns commented 5 months ago

Is there an existing issue for this?

[X] I have searched the existing issues

Type of bug

Exploit, Compatibility issue, Other unexpected behaviour

Environment

- Server Version: PAPER 1.20.4
- Shop Version: 1.8.4.6

Server startup log

https://gist.github.com/TakeTheReigns/0d3cd5fe1663b8b2eea2f87dfed1afaf

Shop config files

https://gist.github.com/TakeTheReigns/d0fa07a61391b5bdbe063a905f259a2e

Error log (if applicable)

No response

Bug description

Punch style shop creation does not check for other permissions before placing a sign, then allows creation of shop regardless.

This may or maynot allow access to chests locked by other means, or lock other players out of something they should be able to access, depending on plugin.

Steps to reproduce

Have a chest that you shouldn't be able to access, open, interact with due to permissions
crouch-punch the chest to start a shop creation dialog
complete shop dialog
enjoy plugin permissions conflict

Expected behaviour

When you punch a chest, which either has a protection, or is not in a region you own, the expectation is that any shop activity is interrupted, and either a worldguard interrupt message, or whatever protection interrupt message plays.

You shouldn't be able to do anything.

Actual behaviour

Two circumstances, same results. Allows creation of shops over permission areas you shouldn't be able to.

Worldguard: Region supports shop creation ie: allow-shops: allow BUT isn't a region you have other permissions in. crouch-punching a chest places a sign and begins the make shop dialogue in chat. When you complete all steps, a shop is created. If you are not a member or owner of the region, or if chest-access: deny, you cannot open this chest. If the region does not support shopcreation at all, ie: allow-shops: deny, there is no issue.

Blocklocker: chest has a sign on it, [private] with names that aren't yours, etc. crouch-punching a chest places a sign and begins the make shop dialogue in chat. When you complete all steps, a shop is created. You may now open the locked chest, and add/remove contents.

Other information

OstlerDev commented 2 months ago

I have revamped our WorldGuard integration so that it will now properly respect the flags passthrough, build, chest-access. These checks will now always be performed, and are checked first before the allow-shop flag.

The allow-shop flag has now been made optional!

(Default) Ignore Flag:
- Allow shops everywhere that you can build and access chests, and ignore the allow-shop flag completely.
- Verify hookWorldGuard is false in your config.yml file
Require Flag:
- Completely disallow shops in all regions that do not explicitly have allow-shop: ALLOW.
- Set hookWorldGuard to true in your config.yml file

All of these fixes/changes will be included in the 1.9.1.0 release!

OstlerDev commented 1 month ago

Released 1.9.1.0

snowgears / shopbugs