From 7dc3581f8f24b716a71a209f29bff5351ab09cb7 Mon Sep 17 00:00:00 2001
From: "github-actions[bot]"
<41898282+github-actions[bot]@users.noreply.github.com>
Date: Wed, 20 May 2026 06:25:19 +0000
Subject: [PATCH 1/3] =?UTF-8?q?=F0=9F=86=99=20Bump=20version=20to=204.2.11?=
=?UTF-8?q?=20[skip=20ci]?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
Emulator/pom.xml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Emulator/pom.xml b/Emulator/pom.xml
index 8376f637..229ce279 100644
--- a/Emulator/pom.xml
+++ b/Emulator/pom.xml
@@ -6,7 +6,7 @@
com.eu.habbo
Habbo
- 4.2.10
+ 4.2.11
UTF-8
From 69d770b65e4cb8d4d43f6ddec0b6b8df701262de Mon Sep 17 00:00:00 2001
From: "github-actions[bot]"
<41898282+github-actions[bot]@users.noreply.github.com>
Date: Wed, 20 May 2026 09:36:00 +0000
Subject: [PATCH 2/3] =?UTF-8?q?=F0=9F=86=99=20Bump=20version=20to=204.2.12?=
=?UTF-8?q?=20[skip=20ci]?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
Emulator/pom.xml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Emulator/pom.xml b/Emulator/pom.xml
index 229ce279..cb774ab9 100644
--- a/Emulator/pom.xml
+++ b/Emulator/pom.xml
@@ -6,7 +6,7 @@
com.eu.habbo
Habbo
- 4.2.11
+ 4.2.12
UTF-8
From 67d2f52f64e38358ba6fcf657eb99694d13a904a Mon Sep 17 00:00:00 2001
From: simoleo89
Date: Wed, 20 May 2026 20:34:37 +0200
Subject: [PATCH 3/3] fix(permissions): acc_supporttool incorrectly granted to
VIP, denied to Super Mod
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The default permission_definitions seed for acc_supporttool used the
pattern (0, 1, 1, 1, 1, 0, 1) across rank_1..rank_7 — apparently
shifted by two columns:
* rank_2 (VIP) and rank_3 (X) had ALLOWED. With acc_supporttool=1
the SecureLoginEvent path sends ModeratorInitMessageEvent on
login, which makes the React client surface the ModTools toolbar
button and let the user open room/user info windows. The actual
sanction endpoints (ModToolSanctionBanEvent, ModToolWarnEvent,
…) still gate on ACC_SUPPORTTOOL so a VIP cannot actually take
moderator action — but they can request user info, room info
and chatlogs they have no business reading.
* rank_6 (Super Mod) was DISALLOWED, which is obviously not what
the name says.
Corrected pattern: (0, 0, 0, 1, 1, 1, 1) — Support (4), Moderator
(5), Super Mod (6), Administrator (7). Matches the convention used
by the other staff-only acc_modtool_* keys.
Two changes:
- Default Database/FullDatabase.sql: fix the seed for fresh
installs.
- Database Updates/004_fix_acc_supporttool_rank.sql: idempotent
UPDATE to realign existing deployments.
Found by user report: a rank-2 (VIP) account on the live retro had
the ModTools button visible in the toolbar after login.
---
.../004_fix_acc_supporttool_rank.sql | 31 +++++++++++++++++++
Default Database/FullDatabase.sql | 2 +-
2 files changed, 32 insertions(+), 1 deletion(-)
create mode 100644 Database Updates/004_fix_acc_supporttool_rank.sql
diff --git a/Database Updates/004_fix_acc_supporttool_rank.sql b/Database Updates/004_fix_acc_supporttool_rank.sql
new file mode 100644
index 00000000..f0dfd371
--- /dev/null
+++ b/Database Updates/004_fix_acc_supporttool_rank.sql
@@ -0,0 +1,31 @@
+-- ============================================================
+-- Fix: acc_supporttool wrongly granted to VIP / wrongly denied to Super Mod
+-- ============================================================
+-- The default permission_definitions seed shipped acc_supporttool
+-- with rank pattern (0, 1, 1, 1, 1, 0, 1) — i.e. rank_2 (VIP) and
+-- rank_3 (X, junior helper) had ALLOWED, while rank_6 (Super Mod)
+-- did NOT. That's two bugs:
+--
+-- * VIP users see the ModTools button on the toolbar and can
+-- open Room/User info windows. The actual sanction endpoints
+-- still gate on ACC_SUPPORTTOOL server-side so they can't
+-- actually moderate, but the UI exposure is wrong and lets a
+-- VIP request user info / room info / chatlogs they have no
+-- business reading.
+-- * Super Mod is denied the tool entirely, which is obviously
+-- unintended given the rank name.
+--
+-- Intended pattern: only Support (4) and up — (0, 0, 0, 1, 1, 1, 1).
+--
+-- Run on existing deployments to align with the corrected default
+-- seed in `Default Database/FullDatabase.sql`. Idempotent.
+
+UPDATE `permission_definitions`
+ SET `rank_1` = 0,
+ `rank_2` = 0,
+ `rank_3` = 0,
+ `rank_4` = 1,
+ `rank_5` = 1,
+ `rank_6` = 1,
+ `rank_7` = 1
+ WHERE `permission_key` = 'acc_supporttool';
diff --git a/Default Database/FullDatabase.sql b/Default Database/FullDatabase.sql
index 75a3b75b..c7e85d40 100644
--- a/Default Database/FullDatabase.sql
+++ b/Default Database/FullDatabase.sql
@@ -28598,7 +28598,7 @@ INSERT INTO `permission_definitions` (`permission_key`, `max_value`, `comment`,
('acc_staff_chat', 1, 'Grants access to the in-game Staff Chat group buddy: receives broadcasts from other staff and can broadcast to anyone holding this permission.', 0, 0, 0, 0, 0, 0, 1),
('acc_staff_pick', 1, 'Allows using staff item pick-up actions that bypass normal room ownership restrictions.', 0, 0, 0, 0, 0, 0, 1),
('acc_superwired', 1, 'Allows saving advanced wired data without the normal wordfilter and reward payload restrictions applied to regular users.', 0, 0, 0, 0, 0, 0, 1),
- ('acc_supporttool', 1, 'Allows opening and using the support/moderation tool interface.', 0, 1, 1, 1, 1, 0, 1),
+ ('acc_supporttool', 1, 'Allows opening and using the support/moderation tool interface.', 0, 0, 0, 1, 1, 1, 1),
('acc_trade_anywhere', 1, 'Allows starting trades outside the normal trade-enabled areas.', 0, 0, 0, 0, 0, 0, 1),
('acc_unignorable', 1, 'Prevents the account from being ignored by other users through the ignore system.', 0, 0, 0, 0, 0, 0, 0),
('acc_unkickable', 1, 'Prevents the user from being kicked by normal moderation or room commands.', 0, 0, 0, 0, 0, 0, 1),