Arcturus-Morningstar-Extended

duckietm/Arcturus-Morningstar-Extended

Fork 0

mirror of https://github.com/duckietm/Arcturus-Morningstar-Extended.git synced 2026-06-19 15:06:19 +00:00

Commit Graph

Author	SHA1	Message	Date
simoleo89	67d2f52f64	fix(permissions): acc_supporttool incorrectly granted to VIP, denied to Super Mod The default permission_definitions seed for acc_supporttool used the pattern (0, 1, 1, 1, 1, 0, 1) across rank_1..rank_7 — apparently shifted by two columns: * rank_2 (VIP) and rank_3 (X) had ALLOWED. With acc_supporttool=1 the SecureLoginEvent path sends ModeratorInitMessageEvent on login, which makes the React client surface the ModTools toolbar button and let the user open room/user info windows. The actual sanction endpoints (ModToolSanctionBanEvent, ModToolWarnEvent, …) still gate on ACC_SUPPORTTOOL so a VIP cannot actually take moderator action — but they can request user info, room info and chatlogs they have no business reading. * rank_6 (Super Mod) was DISALLOWED, which is obviously not what the name says. Corrected pattern: (0, 0, 0, 1, 1, 1, 1) — Support (4), Moderator (5), Super Mod (6), Administrator (7). Matches the convention used by the other staff-only acc_modtool_* keys. Two changes: - Default Database/FullDatabase.sql: fix the seed for fresh installs. - Database Updates/004_fix_acc_supporttool_rank.sql: idempotent UPDATE to realign existing deployments. Found by user report: a rank-2 (VIP) account on the live retro had the ModTools button visible in the toolbar after login.	2026-05-20 20:34:37 +02:00
medievalshell	e334a3e0ac	feat(auth): backward-compatible TTL check on SSO auth_ticket Pairs with the CMS-side change introducing auth_ticket_expires_at (60s expiry written on every ticket issuance). Without an emulator-side verification the column was advisory only — this commit gates every SELECT that resolves a user by auth_ticket on auth_ticket = ? AND (auth_ticket_expires_at IS NULL OR auth_ticket_expires_at >= NOW()) The NULL branch preserves backward-compatibility: CMS deployments that do not yet populate the column keep working exactly like before (every ticket passes the WHERE clause as soon as auth_ticket matches), and the TTL takes effect automatically the moment a CMS starts writing the expiry value. Five SELECTs touched: - SessionEndpoints.java (cms-issued SSO + remember-token flow) - HabboManager.loadHabbo (game client login by ticket) - SecureLoginEvent (legacy handshake path) DB schema delivered both ways: - Database Updates/Own_Database_RunFirst/020_auth_ticket_ttl.sql: idempotent ALTER, skips if column already present (information_schema guard so re-running the bundle is safe). - Default Database/FullDatabase.sql: column added to the `users` table definition for fresh installs. Bumps the emulator version to 4.2.7.	2026-05-19 00:46:58 +02:00
duckietm	4f9fa9fc93	🆙 Database updated to TuT instalation	2026-05-18 12:56:28 +02:00

Author

SHA1

Message

Date

simoleo89

67d2f52f64

fix(permissions): acc_supporttool incorrectly granted to VIP, denied to Super Mod

The default permission_definitions seed for acc_supporttool used the
pattern (0, 1, 1, 1, 1, 0, 1) across rank_1..rank_7 — apparently
shifted by two columns:

  * rank_2 (VIP) and rank_3 (X) had ALLOWED. With acc_supporttool=1
    the SecureLoginEvent path sends ModeratorInitMessageEvent on
    login, which makes the React client surface the ModTools toolbar
    button and let the user open room/user info windows. The actual
    sanction endpoints (ModToolSanctionBanEvent, ModToolWarnEvent,
    …) still gate on ACC_SUPPORTTOOL so a VIP cannot actually take
    moderator action — but they can request user info, room info
    and chatlogs they have no business reading.
  * rank_6 (Super Mod) was DISALLOWED, which is obviously not what
    the name says.

Corrected pattern: (0, 0, 0, 1, 1, 1, 1) — Support (4), Moderator
(5), Super Mod (6), Administrator (7). Matches the convention used
by the other staff-only acc_modtool_* keys.

Two changes:
  - Default Database/FullDatabase.sql: fix the seed for fresh
    installs.
  - Database Updates/004_fix_acc_supporttool_rank.sql: idempotent
    UPDATE to realign existing deployments.

Found by user report: a rank-2 (VIP) account on the live retro had
the ModTools button visible in the toolbar after login.

2026-05-20 20:34:37 +02:00

medievalshell

e334a3e0ac

feat(auth): backward-compatible TTL check on SSO auth_ticket

Pairs with the CMS-side change introducing auth_ticket_expires_at (60s
expiry written on every ticket issuance). Without an emulator-side
verification the column was advisory only — this commit gates every
SELECT that resolves a user by auth_ticket on

    auth_ticket = ?
    AND (auth_ticket_expires_at IS NULL OR auth_ticket_expires_at >= NOW())

The NULL branch preserves backward-compatibility: CMS deployments that
do not yet populate the column keep working exactly like before
(every ticket passes the WHERE clause as soon as auth_ticket matches),
and the TTL takes effect automatically the moment a CMS starts writing
the expiry value.

Five SELECTs touched:
- SessionEndpoints.java (cms-issued SSO + remember-token flow)
- HabboManager.loadHabbo (game client login by ticket)
- SecureLoginEvent (legacy handshake path)

DB schema delivered both ways:
- Database Updates/Own_Database_RunFirst/020_auth_ticket_ttl.sql:
  idempotent ALTER, skips if column already present (information_schema
  guard so re-running the bundle is safe).
- Default Database/FullDatabase.sql: column added to the `users` table
  definition for fresh installs.

Bumps the emulator version to 4.2.7.

2026-05-19 00:46:58 +02:00

duckietm

4f9fa9fc93

🆙 Database updated to TuT instalation

2026-05-18 12:56:28 +02:00

3 Commits