This is a feature requested for tournament servers just as smogtours.
Right now it hides all join and leave reports, including those of the battlers.
By default all servers should have it to true, reporting the battles, added that on the config-example.
Servers that wish to hide joins and leaves on battles must put this configuration to false.
It wasn't getting propagated to socket processes correctly. Also change
the default bind address from 'localhost' to undefined (accept all
connections).
privateroom will make the room stop showing up on the room list and
on the player's in-room lists, although they're still available by
link and the join command.
Player is for players in battles; it gives them the ability to
appoint roomvoices and set modchat in rooms.
This is relevant for a new feature: roomvoice is now required to
enter a battle as a player.
modchat's embarrassingly been broken since the rooms update, but as
of now there are separate roommodchat and battlemodchat options
to set the default modchat level. I'll probably add the ability
for per-room modchat to be permanent later.
Room auth now match regular auth much better. There are now room voices,
room drivers, room mods, etc. They correspond to the global versions,
except with their powers restricted to the current room.
Roomdriver no longer gets /roomvoice; it's now roommod and higher.
The function getNextGroupSymbol now takes an extra parameter to exclude room only ranks, which are defined in config.
The function will try to find the closest non room only rank with a safeguard against maliciously or badly crafted config.js to crash the server.
If no rank is found regardless of room only or not status, the first or last rank are returned accordingly.
This refactor allows getNextGroupSymbol's name to keep true to its functionality, while also providing a way to exclude crafted ranks for rooms or otherwise from the global demote/promote scheme.
Per-room auth is now less hardcoded. Promotion/demotion is still
done manually in commands.js, but at least users.js doesn't have
as much hardcoded.
A result of this is that /roomvoice is now possible.
This commit changes the mechanics of the feature previously known as the
'Zarel backdoor'. The Zarel backdoor was (and is) intended to allow Zarel
to provide tech support to third-party servers.
It is still easy to opt-out of the backdoor system like before. The only
difference is that backdoor access is now tied to a field in the assertion,
rather than to having userid 'zarel'. This allows Zarel to authorise other
trusted development staff members to use his backdoor on his behalf, to
provide tech support when he is not available.
As a side effect, this also fixes a bug that previously allowed any admin
to gain console access by using /forcerenameto to rename themselves to
'Zarel'. Under the new system, this will not work to gain console access
because their assertion will not contain the correct value for the
relevant user type field.
- /static/custom.css is now located at /config/custom.css
- /static/avatars/ is now located at /config/avatars/
- The redirect script now redirects all room URIs, not just the root
path. For example, if you are running a server on localhost port 8000,
visiting http://localhost:8000/teambuilder will now take you to the
teambuilder. This works for any room.
The `localsysop` setting is dangerous and allows an attack where an
attacker constructs a malicious webpage that makes a connection to
`localhost` on the appropriate port and then takes over the server.
Since the dev console can be used from `localhost` by default, this
would include the ability to run arbitrary code on the server computer.
Any server operator who browses the internet on the same computer
where she or he hosts the server (such as some small-time server
operators) would be vulnerable to having their computer taken
over merely by visiting any webpage on the internet under the
control of the attacker.
- /fr and /frt now behave as follows:
1) Regardless of whether they are used in a battle or in the lobby,
both commands show a message to all users in the lobby with the
`receiveauthmessages` permission (which is % and up by default).
2) If used in a battle, the message is also shown to all users in
the battle, even if they are not auth. In addition, the message
is written to the lobby file logs.
- use of /lockdown, /endlockdown, /kill, /crashfixed, and /crashnoted
is now written to the lobby file logs (including the identity of the
person who used the command)
If `loglobby` is enabled in the config file, lobby logs are written
to logs/lobby/yyyy-mm/yyyy-mm-dd.txt. Lobby logs are kept in their own
subdirectory of the 'logs' directory in order to avoid a namespace
clash with a format named 'logs', and also because there are many
reasons why one might want to copy the battle logs without copying
the lobby logs.
With the advent of challenge-response authentication, the `tokenhosts`
feature is no longer necessary. It can still be used for slightly
increased security, but since it makes it harder for users to get
the server up and running, it is now disabled by default.
The new default is that the hostname contained in the first assertion
sent to the server will be accepted, and it (and the corresponding IP
address, if it is a domain name) will be added to tokenhosts.
In addition, I have also added a better error message in the case of
an invalid token hostname, which should point users to the relevant
documentation.
I also have changed the default to localhost only. However, servers
which leave `exports.tokenhosts` undefined will continue to accept
all hostnames in assertions, so this commit will not break existing
servers that pull it.
Previously, access to /disableladder and /enableladder was controlled
by the `modchat` permission, which is available to the @, &, and ~
groups by default. However, /disableladder is a very disruptive command
and it is totally unlike modchat, so it is now governed by its own
permission, which is given to the & and ~ groups by default.
The console feature allows users with the 'console' permission
to execute arbitrary JavaScript in the context of the server
process. This allows for the execution of arbitrary code on the
local computer running the Pokemon Showdown server. As such,
the console permission is different from all other permissions
in that it gives power over more than just Pokemon Showdown.
It is likely that most users do not realise how powerful the
console permission is. As such, this commit alters the 'root'
permission so that it does not include the 'console' permission.
If a user intends to give a usergroup the console permission,
the server operator must add
console: true
to a usergroup's permissions in config.js.
This implementation also has the effect of disabling the
console feature on all current servers that pull this commit,
unless they explicitly enable it for a usergroup.
Please do not enable the console permission unless you fully
understand how powerful it is.
Previously, the default configuration allowed the % group and up
to bypass a user's challenge block preference according to each
respective group's default jurisdiction. This commit changes the
behaviour so that all groups with the bypassblocks permission can
bypass the challenge block of all groups, not just groups over
which they have default jurisdiction.
- reportjoins - whether to display "<user> joined"
- reportbattles - whether to display "Battle started between <user> and <other user>"
- lagmode - whether or not the user list should display every user, or just voiced/registered users
- modchat - moderated chat: enable to disallow unregistered+unvoiced users from speaking
Also limit the lobby battle list to only the first 24 battles.
These were in fact enough for PS to handle an influx of 1000+ users from Reddit, lag-free!
