From a3288e2ed92dd48e8d0130990a54db17ab289db6 Mon Sep 17 00:00:00 2001 From: rubenwardy Date: Fri, 20 Jul 2018 20:51:31 +0100 Subject: [PATCH] Add warnings to various book chapters --- _en/basics/lua.md | 2 -- _en/players/chat.md | 52 ++++++++++++++++++++-------------------- _en/players/formspecs.md | 9 +++++++ _sass/_content.scss | 18 +++++++++++--- lua_api.html | 2 +- utils/update_lua_api.py | 2 +- 6 files changed, 52 insertions(+), 33 deletions(-) diff --git a/_en/basics/lua.md b/_en/basics/lua.md index 485c12e..c1deb46 100644 --- a/_en/basics/lua.md +++ b/_en/basics/lua.md @@ -71,8 +71,6 @@ One such IDE is Eclipse with the Koneki Lua plugin: ## Coding in Lua -{% include notice.html level="warning" message="This section is a Work in Progress. May be unclear." %} - Programs are a series of commands that run one after another. We call these commands "statements." diff --git a/_en/players/chat.md b/_en/players/chat.md index b138c13..54f8f20 100644 --- a/_en/players/chat.md +++ b/_en/players/chat.md @@ -5,6 +5,23 @@ root: ../.. idx: 4.2 description: Registering a chatcommand and handling chat messages with register_on_chat_message redirect_from: /en/chapters/chat.html +cmd_online: + level: warning + title: Offline players can run commands + message:

A player name is passed instead of a player object, because mods + can run commands on behalf of offline players. For example, the IRC + bridge allows players to run commands without joining the game.

+ +

So make sure that you don't assume that the player is online. + You can check by seeing if minetest.get_player_by_name returns a player.

+ +cb_cmdsprivs: + level: warning + title: Privileges and Chat Commands + message: The shout privilege isn't needed for a player to trigger this callback. + This is because chat commands are implemented in Lua, and are just + chat messages that begin with a /. + --- ## Introduction @@ -45,20 +62,6 @@ minetest.chat_send_player("player1", "This is a chat message for player1") This message displays in the same manner as messages to all players, but is only visible to the named player, in this case player1. -### Older Mods - -Occasionally you'll see mods where the chat_send_player function includes a -Boolean: - -{% highlight lua %} -minetest.chat_send_player("player1", "This is a server message", true) -minetest.chat_send_player("player1", "This is a server message", false) -{% endhighlight %} - -The boolean is no longer used, and has no affect -[[commit]](https://github.com/minetest/minetest/commit/9a3b7715e2c2390a3a549d4e105ed8c18defb228). - - ## Chat Commands To register a chat command, for example /foo, use register_chatcommand: @@ -96,14 +99,7 @@ return true, "You said " .. param .. "!" This returns two values, a Boolean which shows the command succeeded and the chat message to send to the player. -A player name, instead of a player object, is passed because -**the player might not actually be in-game, but may be running commands from IRC**. -Due to this, you should not assume `minetest.get_player_by_name`, or any other -function that requires an in-game player, will work in a chat command call back. - -`minetest.show_formspec` also won't work when a command is run from IRC, so you -should provide a text only version. For example, the email mod allows both `/inbox` -to show a formspec, and `/inbox text` to send information to chat. +{% include notice.html notice=page.cmd_online %} ## Complex Subcommands @@ -162,17 +158,21 @@ By returning false, you allow the chat message to be sent by the default handler. You can actually remove the line `return false`, and it would still work the same. -**WARNING: CHAT COMMANDS ARE ALSO INTERCEPTED.** If you only want to catch -player messages, you need to do this: +{% include notice.html notice=page.cb_cmdsprivs %} + +You should make sure you take into account that it may be a chat command, +or the user may not have `shout`. {% highlight lua %} minetest.register_on_chat_message(function(name, message) if message:sub(1, 1) == "/" then print(name .. " ran chat command") - return false + elseif minetest.check_player_privs(name, { shout = true }) then + print(name .. " said " .. message) + else + print(name .. " tried to say " .. message .. " but doesn't have shout") end - print(name .. " said " .. message) return false end) {% endhighlight %} diff --git a/_en/players/formspecs.md b/_en/players/formspecs.md index ed05ada..1d6843e 100644 --- a/_en/players/formspecs.md +++ b/_en/players/formspecs.md @@ -4,6 +4,13 @@ layout: default root: ../.. idx: 4.5 redirect_from: /en/chapters/formspecs.html +submit_vuln: + level: warning + title: Malicious clients can submit anything at anytime + message: You should never trust a formspec submission. A malicious client + can submit anything they like at any time - even if you never showed + them the formspec. This means that you should check privileges + and make sure that they should be allowed to perform the action. --- ## Introduction @@ -162,6 +169,8 @@ to the function, and exit if it is not the right form; however, some callbacks may need to work on multiple forms, or all forms - it depends on what you want to do. +{% include notice.html notice=page.submit_vuln %} + ### Fields The `fields` parameter to the function is a table, index by string, of the values diff --git a/_sass/_content.scss b/_sass/_content.scss index e78d9c9..4a5eca9 100644 --- a/_sass/_content.scss +++ b/_sass/_content.scss @@ -27,10 +27,14 @@ figure { padding: 0 0 0 6px; } +.notice-info { + background: #ececec !important; + border: 1px solid #aaa !important; +} .notice-danger { - background: #933 !important; - border: 1px solid #c44 !important; + background: #fcc !important; + border: 1px solid #a66 !important; } .notice-warning { @@ -56,6 +60,14 @@ figure { position: relative; } +.notice p { + margin: 0 0 17px 0; +} + +.notice p:last-child { + margin: 0; +} + .notice > span { position: absolute; top: 0; @@ -74,7 +86,7 @@ figure { .notice h2 { margin: 0 0 5px 0; padding: 0 0 2px 0; - font-size: 110%; + font-size: 100%; } .header-link, .anchor { diff --git a/lua_api.html b/lua_api.html index 6c5b349..b151a64 100644 --- a/lua_api.html +++ b/lua_api.html @@ -3,7 +3,7 @@ title: Lua Modding API Reference layout: default root: . --- -
+

This is lua_api.txt nicely formated: I did not write this

This page was last updated 29/March/2018.
See doc/lua_api.txt for the latest version (in plaintext).
Generated using a Python script.

Table of Contents

diff --git a/utils/update_lua_api.py b/utils/update_lua_api.py index 0b780dd..7144f69 100644 --- a/utils/update_lua_api.py +++ b/utils/update_lua_api.py @@ -100,7 +100,7 @@ html = str(soup) print("Writing to file...") file = open("lua_api.html", "w") file.write("---\ntitle: Lua Modding API Reference\nlayout: default\n---\n") -file.write("
\n") +file.write("
\n") file.write("

This is lua_api.txt nicely formated: I did not write this

\n") file.write(credit) file.write("
\n")