tposney
commented
3 years ago Good point - thanks for the heads up. Will go out in 0.8.36
Closed tposney closed 1 year ago
tposney
commented
3 years ago Good point - thanks for the heads up. Will go out in 0.8.36
tposney
commented
3 years ago in 0.8.36 world name is not exported.
For the modules only the module.data is now exported, which is just the module.json data for each module.
I could not see anything else that would be a problem - but feel free to give it the once over.
fvtt-midi-qol-settings_27.json
tposney
commented
3 years ago In GitLab by @happy-cujo on Jul 23, 2021, 05:21
Looks good!
With module manifests I'm wondering about non-public modules. Likes the ones from patreon or something like that. The manifest URL is public (because Foundry needs to have access to it) but it's not publicly known and only the supporters should have access to it. So in this case removing manifest and download url should solve that, but that would kinda screw up the flow while replicating the environment. But that's probably something for a separate ticket.
It could be also an idea for module that does that (or expand to Bug Reporter). Export/Import settings module where GM can select which module settings should be exported + plus list of enabled modules. Then each module can plug-in into that and obscure fields that shouldn't be exposed. I'll leave that idea on https://github.com/League-of-Foundry-Developers/bug-reporter
// Edit: Nevermind, they already did this.
tposney
commented
3 years ago Thanks for that - I'd not thought about that, but it's an excellent point. I think it's probably better to just export a specific list of fields, rather than deleting some.
name
title
description
url
version
minimumCoreVersion
compatibleCoreVersion
scripts
esmodules
socket
In GitLab by @happy-cujo on Jul 20, 2021, 23:24
As the feature that is used for sharing or for debug purposes it shouldn't contain any data that is describing servers/application infrastructure/setup.
Worldname and absolute paths to the modules in json export file aren't useful for others that want to import settings to replicate behavior. Additionally absolute paths can expose sensitive data like username when data folder is somewhere under home directory.
Possible scenario is when GM is playing with random person who gently asks for "midi-qol" settings export so he can setup it for his own game. Giving username to somebody else is a one bit risky. For attacker it's a one thing less to figure out when trying to gain unauthorized access to the machine.
Many of the players/GM aren't trained well in context of security and smallest leak could put them on risk.