-
-
Notifications
You must be signed in to change notification settings - Fork 447
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
✨ feat: add setAccountSerial #3587
base: master
Are you sure you want to change the base?
✨ feat: add setAccountSerial #3587
Conversation
The basic concept of this pull request is understandable, but such a change must also be reviewed from a security point of view, as the modifiability of serials belonging to accounts carries many risks in my opinion. |
So, I believe since the function is only on the server side, no problem |
What would be the benefits of that function? |
This comment was marked as outdated.
This comment was marked as outdated.
I believe it would be easier to change the Accounts serial in internal.db Imagine a server that has 500 players online, and someone from the administration changed computers due to an emergency, they would have to shut down the server just to change its serial number! With this function, we eliminate this need |
I tried following the setAccountPassword and setAccountName pattern |
Why would they need to shut down the server? You can login into the account from 5 different computers without issues. |
Let me try to give a better example. I don't use ElementData and I only use the Multi Theft Auto login system. I create a simple The idea of bringing this function is just to make things easier |
You should never rely on just serial as your authentication as they are not reliable. You should connect several identification methods (ip, serial, specs, etc.) together to in some way identify a player. |
Why do you think this will bring more chaos to MTA? Nowadays, server owners already perform this action, but most often manually through the internal.db. Shops usually carry out this type of validation, so what we can do to increase security is to prevent malicious scripts by adding appropriate rules to the acl.xml. And also, |
acl.xml have no effect on client side functions and events. It only prevents server side code from doing stuff. |
But this function is on the server side |
I understand that. I was responding to
If you have backdoors in your scripts (or download malware scripts to your server) then no matter what functions you have at your disposal, its useless. |
So you think it’s better to delete the serial rather than setting a new one? By modifying the function to |
I assume by players, you mean admins and members of other ACL groups you have enabled This function would still be useful if you're just looking to update the serial returned by
Script backdoors are not a threat that the |
This function does exactly that: it updates the serial from |
Can the acl right be put in the same group as the other setAccount* functions? |
@Lpsd Do you say put it in the Moderator? |
I think so |
Why not just add option to have multiple serials allow to login to the same account? |
@Nico8340 adjusted @CrosRoad95 The idea is to update the serial from getAccountSerial and not from authserial |
Also, if you add setAccountSerial function you in practice introducing a way to bypass already existing protections EVEN you updated acl, why you may guess? People don't updating, reusing resources, and in this resources often lies outdated acl.xml. Good example is dgs, even thisdp fixed vulnerability there YEARS ago, it is still present on many, many servers |
@CrosRoad95 I agree with you; I believe that ACL is not the most secure resource. However, the function resides on the server side, so it is the total responsibility of whoever is setting up their server to be aware of and consent to the use of this function We should not be held responsible for the misuse of certain functions, such as debugHook, which many people are using nowadays to break the protections of resource stores. We do not take action on this because it is not within our jurisdiction nor is it our responsibility to address the misuse of these functions. Remembering that this is just an example, the case mentioned has nothing to do with this function. |
In my opinion, you shouldn't use a function to alter this value. It's automatic... Instead, use |
This PR adds a new function to edit the serial of a specific account. Currently, when players change their PC, the server owner needs to shut down the server and modify the internal.db file to update the player's serial. With this new function, this process is simplified, eliminating the need to shut down the server.
Example: