ID:157759
 
using href for ban/mute next to messages in output reveals an Admin's Memory ID, and allows players to input that command to force the admin to use the mute/ban/whatever.

Would adding a check for GM to src fix this? How do I fix it? I've never seen anything like this in my life. Thanks.

(IE ?src[F0001X] action1=Mute,Action2= Player Name)
Instead of using the admin as the src ref, you should be using the target of the command, that way you can validate the person clicking the link.

// So you do something like

<a href="?src=\ref[target]&mode=admin&action=mute">Mute</a>

// And inside of Topic() you do this.

mob/Topic(href,href_list[])
if(href_list["mode"] == "admin")
if(usr in admin_list) // Note that usr here is the person clicking the link, src is the target.
if(href_list["action"] == "mute")
src << "You have been muted!"
else
usr << "Only admins can do that."


Please note, this is an EXAMPLE, I leave it to you to adapt this to your needs.
In response to Nadrew
Nadrew wrote:
Instead of using the admin as the src ref, you should be using the target of the command, that way you can validate the person clicking the link.

> // So you do something like
>
> <a href="?src=\ref[target]&mode=admin&action=mute">Mute</a>
>
> // And inside of Topic() you do this.
>
> mob/Topic(href,href_list[])
> if(href_list["mode"] == "admin")
> if(usr in admin_list) // Note that usr here is the person clicking the link, src is the target.
> if(href_list["action"] == "mute")
> src << "You have been muted!"
> else
> usr << "Only admins can do that."
>

Please note, this is an EXAMPLE, I leave it to you to adapt this to your needs.

Thank you. That sure kills a lot of my worries.