Add a clientside check to only allow freefly camera for admins

2024-08-30 18:12:32 +00:00 · 2020-07-09 14:01:48 -07:00 · 2020-07-09 14:01:48 -07:00 · 6b771b8dca
commit 6b771b8dca
parent 738fa34534
3 changed files with 27 additions and 4 deletions
--- a/client/src/lib.rs
+++ b/client/src/lib.rs
@ -1083,6 +1083,18 @@ impl Client {
            .collect()
    }

+    /// Return true if this client is an admin on the server
+    pub fn is_admin(&self) -> bool {
+        let client_uid = self
+            .state
+            .read_component_cloned::<Uid>(self.entity)
+            .expect("Client doesn't have a Uid!!!");
+
+        self.player_list
+            .get(&client_uid)
+            .map_or(false, |info| info.is_admin)
+    }
+
    /// Clean client ECS state
    fn clean_state(&mut self) {
        let client_uid = self
--- a/voxygen/src/scene/camera.rs
+++ b/voxygen/src/scene/camera.rs
@ -298,11 +298,18 @@ impl Camera {
        }
    }

-    /// Cycle the camera to its next valid mode
-    pub fn next_mode(&mut self) {
+    /// Cycle the camera to its next valid mode. If is_admin is false then only
+    /// modes which are accessible without admin access will be cycled to.
+    pub fn next_mode(&mut self, is_admin: bool) {
        self.set_mode(match self.mode {
            CameraMode::ThirdPerson => CameraMode::FirstPerson,
-            CameraMode::FirstPerson => CameraMode::Freefly,
+            CameraMode::FirstPerson => {
+                if is_admin {
+                    CameraMode::Freefly
+                } else {
+                    CameraMode::ThirdPerson
+                }
+            },
            CameraMode::Freefly => CameraMode::ThirdPerson,
        });
    }
--- a/voxygen/src/session.rs
+++ b/voxygen/src/session.rs
@ -520,8 +520,12 @@ impl PlayState for SessionState {
                        }
                    },
                    Event::InputUpdate(GameInput::CycleCamera, true) => {
+                        // Prevent accessing camera modes which aren't available in multiplayer
+                        // unless you are an admin. This is an easily bypassed clientside check.
+                        // The server should do its own filtering of which entities are sent to
+                        // clients to prevent abuse.
                        let camera = self.scene.camera_mut();
-                        camera.next_mode();
+                        camera.next_mode(self.client.borrow().is_admin());
                    },
                    Event::AnalogGameInput(input) => match input {
                        AnalogGameInput::MovementX(v) => {