duckietm/Arcturus-Morningstar-Extended
1
0
Fork 0
mirror of https://github.com/duckietm/Arcturus-Morningstar-Extended.git synced 2026-06-19 15:06:19 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #271 from simoleo89/fix/guilds-admin-removal

Browse Source 
fix(guilds): protect admin members
This commit is contained in:
DuckieTM
2026-06-18 12:55:57 +02:00
committed by GitHub
parent 733cce25d7 4855ea6ea5
commit a89d18e8de
2 changed files with 40 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Emulator/src/main/java/com/eu/habbo/messages/incoming/guilds/GuildRemoveMemberEvent.java
+13
View File
@@ -40,6 +40,19 @@ public class GuildRemoveMemberEvent extends MessageHandler {
return;
}
GuildMember targetMember = Emulator.getGameEnvironment().getGuildManager().getGuildMember(guildId, userId);
if (targetMember == null) {
return;
}
boolean actorIsGuildOwner = guild.getOwnerId() == this.client.getHabbo().getHabboInfo().getId() || member.getRank().equals(GuildRank.OWNER);
boolean actorIsGlobalGuildAdmin = this.client.getHabbo().hasPermission(Permission.ACC_GUILD_ADMIN);
if ((targetMember.getRank().equals(GuildRank.ADMIN) || targetMember.getRank().equals(GuildRank.OWNER))
&& !actorIsGuildOwner
&& !actorIsGlobalGuildAdmin) {
return;
}
if (userId == this.client.getHabbo().getHabboInfo().getId() || guild.getOwnerId() == this.client.getHabbo().getHabboInfo().getId() || member.getRank().equals(GuildRank.OWNER) || member.getRank().equals(GuildRank.ADMIN) || this.client.getHabbo().hasPermission(Permission.ACC_GUILD_ADMIN)) {
Habbo habbo = Emulator.getGameEnvironment().getHabboManager().getHabbo(userId);
GuildRemovedMemberEvent removedMemberEvent = new GuildRemovedMemberEvent(guild, userId, habbo);
Emulator/src/test/java/com/eu/habbo/messages/incoming/guilds/GuildMemberRemovalPermissionContractTest.java
+27
View File
@@ -0,0 +1,27 @@
package com.eu.habbo.messages.incoming.guilds;
import org.junit.jupiter.api.Test;
import java.nio.file.Files;
import java.nio.file.Path;
import static org.junit.jupiter.api.Assertions.assertTrue;
class GuildMemberRemovalPermissionContractTest {
@Test
void regularAdminsCannotRemovePeerAdmins() throws Exception {
String source = Files.readString(Path.of("src/main/java/com/eu/habbo/messages/incoming/guilds/GuildRemoveMemberEvent.java"));
int targetLookup = source.indexOf("GuildMember targetMember =");
int peerAdminGuard = source.indexOf("targetMember.getRank().equals(GuildRank.ADMIN)", targetLookup);
int ownerCheck = source.indexOf("!actorIsGuildOwner", peerAdminGuard);
int globalCheck = source.indexOf("!actorIsGlobalGuildAdmin", ownerCheck);
int removeMember = source.indexOf("removeMember(guild, userId)", globalCheck);
assertTrue(targetLookup > -1, "member removal should load the target membership row");
assertTrue(peerAdminGuard > targetLookup, "member removal should detect admin targets");
assertTrue(ownerCheck > peerAdminGuard, "peer-admin removal must require guild owner");
assertTrue(globalCheck > ownerCheck, "peer-admin removal may also allow global guild admins");
assertTrue(removeMember > globalCheck, "target rank authorization must run before removal");
}
}