Bug: Viewers can remove points

#1

PhantomBot Version: 3.0.0
OS Version: Windows 10 10.0
Java Version: 1.8.0_201-b09
Browser and Version (for Panel Support): Chrome 73.0.3683.86 (Official Build) (64-bit)
Stock PhantomBot: No

Bug: All viewers can type !points remove Johnny 1000

Expected functionality: Only the Caster, which the permissions are set to, should be able to use this subcommand

Description:
the !points command has many sub commands. I only have !points set to “Viewer” level. The rest of the sub commands (add, remove, set, etc) are set to “Caster.” Today in my chat, we discovered viewers could type !points remove Johnny 1000 and the bot replied that it removed 1000 points from Johnny. This is the only sub command that they seemed to have access to, not add, set, or anything else aside from checking points. This totally broke the economy as trolls started removing points from other users. I set the entire points command to Caster only, which stopped their ability to use any part of the command.

I did not modify the stock pointSystem file, even though I it says I don’t use stock Phantombot. The reason my stock is modified is only because I feel that the core fileSystem has a bug that I fixed myself (the file system does not close the file stream properly, at least to my liking and usage, but that’s another issue).

Please advise on this bug, and whether I’m doing something incorrectly. Note that this was not a problem in previous versions of Phantombot (I’ve used it since 2.3.6.1), only in 3.0.0. Feel free to test on another stream if removing points works for levels that aren’t set to use the sub command. I have it set to Caster right now to prevent further trolling. Thanks.

0 Likes

#2

This is a Stock PhantomBot 3.0.0:

permission illusionaryone
[03-29-2019 @ 09:21:39.783 MDT] [MUTED] @IllusionaryBot, IllusionaryOne currently has Viewer permissions.
points
[03-29-2019 @ 09:21:44.165 MDT] [MUTED] @IllusionaryBot,  you currently have 1206649 bits and you have been in the chat for  90 hours and 44 minutes.
[03-29-2019 @ 09:22:10.534 MDT] illusionaryone: !points remove illusionarybot 12345
points
[03-29-2019 @ 09:22:13.417 MDT] [MUTED] @IllusionaryBot,  you currently have 1206649 bits and you have been in the chat for  90 hours and 44 minutes.
points remove illusionaryone 100
[03-29-2019 @ 09:23:01.038 MDT] [MUTED] Took 100 bits from IllusionaryOne. New balance is 81625 bits.

permcom points remove 7
[03-29-2019 @ 09:24:26.075 MDT] [MUTED] @IllusionaryBot, Permissions for command: points remove set for group: Viewer and higher.
[03-29-2019 @ 09:24:36.636 MDT] illusionaryone: !points remove
[03-29-2019 @ 09:24:36.658 MDT] [MUTED] @IllusionaryOne, Usage: !points take [name] [amount]
permcom points remove 1
[03-29-2019 @ 09:24:43.729 MDT] [MUTED] @IllusionaryBot, Permissions for command: points remove set for group: Administrator and higher.
[03-29-2019 @ 09:24:49.826 MDT] illusionaryone: !points remove

The user (me) with Viewer permissions is not able to use !points remove. The bot with Admin is able to. I was able to run the command upon permcom but otherwise, not able to.

What was changed in the Core?

0 Likes

#3

Hi IllusionaryOne, thanks for the reply.

I modified fileSystem’s writeToFile() function to have this at the end, after the try{} block:

		finally {
			try {
				if (fos != null) {
					fos.close();
				}
			} 
			catch (e) {
				$.log.error('Failed close stream to \'' + path + '\': ' + e);
			}
		}

I have the file stream close because I noticed that trying to access the file at all while the bot was running was not possible (I use Flash to read from the files sometimes for my Twitch overlay). However, this doesn’t affect the points because to test if my change caused the reported issue, I loaded in the stock fileSystem file and viewers were still able to remove points without having permission. I don’t have any other core files modified, nor the pointSystem file modded. For this test, it’s all stock + custom commands in the custom folder. I use an alt Twitch account that is given no roles or permissions to test this issue, and it still is able to remove points.

0 Likes

#4

Start with an absolute fresh bot without your database. You may use your botlogin.txt. See if the issue persists.

0 Likes

#5

Ok, I did that and it doesn’t have the same problem. Could it be because I upgraded from Phantombot 2.3.6.1 straight to 3.0.0? Maybe something about the database.

Is there a way to convert an old database into the new one, rather than just copying the .db file over? Maybe something leftover in the old db that is messing things up.

0 Likes

#6

You can also try with your database and a fresh copy of PhantomBot. It will automatically upgrade what needs to be upgraded through each version. Just pop in your database file into that fresh 3.0.0 and let us know. I am just going through piece by piece at this point.

Thanks for your patience.

0 Likes

#7

Sorry for being MIA. I’ve been a bit busy for a week.

I loaded up a fresh 3.0.0 and copied in the botlogin file and the .db file, and the console wouldn’t complete starting up. It would pause indefinitely after “phantombot.tv

Here’s a screenshot of the whole console: https://snag.gy/z1hCOv.jpg

0 Likes

#8

Please provide the latest stack trace logs from the logs/stacktrace directory.

1 Like

#9

Make sure you copy all important files over, including any other .db files.

This could be phantombot.db-journal, phantombot.db.wal, or phantombot.db.shm

This guide may help you: How To Update PhantomBot

1 Like

#10

Ah, you’re right. I copied the whole config folder and launched. I tested with the !points command and nothing was out of the ordinary. I tested with my custom currency name, which is !popcorn, and that regular viewer could use “!popcorn remove” even though only the “!popcorn” command was set to viewer, not the subcommand “remove”.

So maybe it has to do with the aliased currency name?

Edit: I just made a fresh install and only copied over my botlogin file (not the database). I can repro this: (for these steps, “gelatinguy” is my caster name)

  1. Fresh install
  2. Copy over botlogin.txt and launch the bot.
  3. In Phantombot Dashboard, click Settings > Modules. Find the pointSystem.js module and click the checkmark to enable it.
  4. As the caster, type !points add gelatinguy 1000.
  5. As a regular non-mod viewer, type !points remove gelatinguy 10. Note that nothing happens, which is expected.
  6. In Phantombot Dashboard, click Loyalty > Currency. Change the currency name (single) to “coin” and the currency name (Multiple) to “coins”.
  7. As a regular viewer, type !coin remove gelatinguy 10. Note that it removes currency from gelatinguy. Chat reads: “Took 10 coins from gelatinguy. New balance is 990 coins.”

This does not happen with the !coins command, but only the !coin command. I noticed that in the Default commands, the !coin command does not have the “remove” subcommand, but !coins does. Hmm.

0 Likes

#11

So, does this seem like an issue on my end or with Phantombot? I hope you’re not stumped!

0 Likes

#12

Not stumped, sorry haven’t come back to this. Thanks for the reproduction steps. I might not be able to get to this until after next Sunday. I have a business trip (I might get time at night to look at PhantomBot, not sure) and then Easter with my family.

I will definitely try to get to this before I have to take off early next week, but I might not be able to.

Thanks!

0 Likes

#13

Oh no rush. I just wanted to be sure there wasn’t something I had to do. Enjoy your Easter!

0 Likes

#14

i have made a pull request for this fix if you wish to make the change manually or wait for it to be accepted then take it from the nightly build

0 Likes

#15

Oh thanks! I didn’t realize it was just missing the one subcommand registration. That seems to have fixed it!

0 Likes

#16

This has been merged and will be available in the next Nightly and the next formal release.

Thanks @Dakoda for the quick fix!

0 Likes