PhantomBot Version: 3.0.0
OS Version: Windows 10 10.0
Java Version: 1.8.0_201-b09
Browser and Version (for Panel Support): Chrome 73.0.3683.86 (Official Build) (64-bit)
Stock PhantomBot: No
Bug: All viewers can type !points remove Johnny 1000
Expected functionality: Only the Caster, which the permissions are set to, should be able to use this subcommand
the !points command has many sub commands. I only have !points set to “Viewer” level. The rest of the sub commands (add, remove, set, etc) are set to “Caster.” Today in my chat, we discovered viewers could type !points remove Johnny 1000 and the bot replied that it removed 1000 points from Johnny. This is the only sub command that they seemed to have access to, not add, set, or anything else aside from checking points. This totally broke the economy as trolls started removing points from other users. I set the entire points command to Caster only, which stopped their ability to use any part of the command.
I did not modify the stock pointSystem file, even though I it says I don’t use stock Phantombot. The reason my stock is modified is only because I feel that the core fileSystem has a bug that I fixed myself (the file system does not close the file stream properly, at least to my liking and usage, but that’s another issue).
Please advise on this bug, and whether I’m doing something incorrectly. Note that this was not a problem in previous versions of Phantombot (I’ve used it since 184.108.40.206), only in 3.0.0. Feel free to test on another stream if removing points works for levels that aren’t set to use the sub command. I have it set to Caster right now to prevent further trolling. Thanks.