Implemented some changes from #306.
The bans are checked now on User.prototype.joinRoom.
Redirect command now does not override room bans.
Commands now control if the room is designed for room bans.
Several small style improvements.
Now, most rooms inherit auth from global auth. In other words, if
you're a global driver but a room leader, you'll be a leader
in that room, but if you're a global driver but have no room
auth, you'll be a room driver.
The exception is private rooms with private auth: These don't
inherit, and in general are not bound by chat rules, so /warn
doesn't work in these rooms at all.
The function getNextGroupSymbol now takes an extra parameter to exclude room only ranks, which are defined in config.
The function will try to find the closest non room only rank with a safeguard against maliciously or badly crafted config.js to crash the server.
If no rank is found regardless of room only or not status, the first or last rank are returned accordingly.
This refactor allows getNextGroupSymbol's name to keep true to its functionality, while also providing a way to exclude crafted ranks for rooms or otherwise from the global demote/promote scheme.
Previously, /cmd was exempt from the throttler. This allowed an
amplification attack by sending a lot of /cmd's in one message,
which was responsible for the recent DoS attacks.
/cmd is now throttled normally, except for userdetails, which
happens instantly but is limited to once/message, so it can't
be used for anywhere near as much amplification.
Per-room auth is now less hardcoded. Promotion/demotion is still
done manually in commands.js, but at least users.js doesn't have
as much hardcoded.
A result of this is that /roomvoice is now possible.
- if room.auth exists, the room will have its own authority instead
of global authority
- # is room owner, % is room moderator, admins are still there, and
every other auth becomes voice
- % can mute/unmute/announce
- # can additionally roommod/deroommod/declare/modchat
- modchat is now per-room
- Rooms now stay in existence through restarts
- Room data is stored in config/chatrooms.json
- By default, there's a staff room autojoined by staff and joinable
only by staff
This commit fixes a bug wherein an admin could forcibly rename herself
to a userid found on the console access list, and therefore gain console
access despite not being on the list themselves.
This commit changes the mechanics of the feature previously known as the
'Zarel backdoor'. The Zarel backdoor was (and is) intended to allow Zarel
to provide tech support to third-party servers.
It is still easy to opt-out of the backdoor system like before. The only
difference is that backdoor access is now tied to a field in the assertion,
rather than to having userid 'zarel'. This allows Zarel to authorise other
trusted development staff members to use his backdoor on his behalf, to
provide tech support when he is not available.
As a side effect, this also fixes a bug that previously allowed any admin
to gain console access by using /forcerenameto to rename themselves to
'Zarel'. Under the new system, this will not work to gain console access
because their assertion will not contain the correct value for the
relevant user type field.
Certain actions are now shown only to online auth, the modlog,
and the room log. These include:
- Demotion
- Muting/locking/banning a user that's already muted/locked/banned,
without a message
chat-commands.js is no more, it's been split into command-parser.js,
commands.js, and config/commands.js.
There's also a new API for commands which should be much easier to
use.
The room join/leave functions have been renamed from .join to
.onJoin to make it clear that they react to joins initiated
elsewhere, and should not be used to initiate joins.
