ID Console can no longer grant access the privileged ID doesn't have. (read: AA nerf) (#14699)

Co-authored-by: moonheart08 <moonheart08@users.noreply.github.com> Co-authored-by: metalgearsloth <comedian_vs_clown@hotmail.com>
2023-05-05 08:56:54 -05:00
parent 443220551c
commit 5cb1d70a3b
6 changed files with 50 additions and 15 deletions
--- a/Content.Client/Access/UI/IdCardConsoleWindow.xaml.cs
+++ b/Content.Client/Access/UI/IdCardConsoleWindow.xaml.cs
@@ -116,7 +116,7 @@ namespace Content.Client.Access.UI
            // this is a sussy way to do this
            foreach (var access in job.Access)
            {
-                if (_accessButtons.TryGetValue(access, out var button))
+                if (_accessButtons.TryGetValue(access, out var button) && !button.Disabled)
                {
                    button.Pressed = true;
                }
@@ -131,7 +131,7 @@ namespace Content.Client.Access.UI

                foreach (var access in groupPrototype.Tags)
                {
-                    if (_accessButtons.TryGetValue(access, out var button))
+                    if (_accessButtons.TryGetValue(access, out var button) && !button.Disabled)
                    {
                        button.Pressed = true;
                    }
@@ -187,6 +187,7 @@ namespace Content.Client.Access.UI
                if (interfaceEnabled)
                {
                    button.Pressed = state.TargetIdAccessList?.Contains(accessName) ?? false;
+                    button.Disabled = (!state.AllowedModifyAccessList?.Contains(accessName)) ?? true;
                }
            }

--- a/Content.Server/Access/Systems/IdCardConsoleSystem.cs
+++ b/Content.Server/Access/Systems/IdCardConsoleSystem.cs
@@ -54,16 +54,18 @@ public sealed class IdCardConsoleSystem : SharedIdCardConsoleSystem
        if (!component.Initialized)
            return;

+        var privilegedIdName = string.Empty;
+        string[]? possibleAccess = null;
+        if (component.PrivilegedIdSlot.Item is { Valid: true } item)
+        {
+            privilegedIdName = EntityManager.GetComponent<MetaDataComponent>(item).EntityName;
+            possibleAccess = _accessReader.FindAccessTags(item).ToArray();
+        }
+
        IdCardConsoleBoundUserInterfaceState newState;
        // this could be prettier
        if (component.TargetIdSlot.Item is not { Valid: true } targetId)
        {
-            var privilegedIdName = string.Empty;
-            if (component.PrivilegedIdSlot.Item is { Valid: true } item)
-            {
-                privilegedIdName = EntityManager.GetComponent<MetaDataComponent>(item).EntityName;
-            }
-
            newState = new IdCardConsoleBoundUserInterfaceState(
                component.PrivilegedIdSlot.HasItem,
                PrivilegedIdIsAuthorized(uid, component),
@@ -71,6 +73,7 @@ public sealed class IdCardConsoleSystem : SharedIdCardConsoleSystem
                null,
                null,
                null,
+                possibleAccess,
                string.Empty,
                privilegedIdName,
                string.Empty);
@@ -79,9 +82,6 @@ public sealed class IdCardConsoleSystem : SharedIdCardConsoleSystem
        {
            var targetIdComponent = EntityManager.GetComponent<IdCardComponent>(targetId);
            var targetAccessComponent = EntityManager.GetComponent<AccessComponent>(targetId);
-            var name = string.Empty;
-            if (component.PrivilegedIdSlot.Item is { Valid: true } item)
-                name = EntityManager.GetComponent<MetaDataComponent>(item).EntityName;

            var jobProto = string.Empty;
            if (_station.GetOwningStation(uid) is { } station
@@ -99,8 +99,9 @@ public sealed class IdCardConsoleSystem : SharedIdCardConsoleSystem
                targetIdComponent.FullName,
                targetIdComponent.JobTitle,
                targetAccessComponent.Tags.ToArray(),
+                possibleAccess,
                jobProto,
-                name,
+                privilegedIdName,
                EntityManager.GetComponent<MetaDataComponent>(targetId).EntityName);
        }

@@ -130,16 +131,29 @@ public sealed class IdCardConsoleSystem : SharedIdCardConsoleSystem

        if (!newAccessList.TrueForAll(x => component.AccessLevels.Contains(x)))
        {
-            Logger.Warning("Tried to write unknown access tag.");
+            _sawmill.Warning($"User {ToPrettyString(uid)} tried to write unknown access tag.");
            return;
        }

        var oldTags = _access.TryGetTags(targetId) ?? new List<string>();
        oldTags = oldTags.ToList();

+        var privilegedId = component.PrivilegedIdSlot.Item;
+
        if (oldTags.SequenceEqual(newAccessList))
            return;

+        // I hate that C# doesn't have an option for this and don't desire to write this out the hard way.
+        // var difference = newAccessList.Difference(oldTags);
+        var difference = (newAccessList.Union(oldTags)).Except(newAccessList.Intersect(oldTags)).ToHashSet();
+        // NULL SAFETY: PrivilegedIdIsAuthorized checked this earlier.
+        var privilegedPerms = _accessReader.FindAccessTags(privilegedId!.Value).ToHashSet();
+        if (!difference.IsSubsetOf(privilegedPerms))
+        {
+            _sawmill.Warning($"User {ToPrettyString(uid)} tried to modify permissions they could not give/take!");
+            return;
+        }
+
        var addedTags = newAccessList.Except(oldTags).Select(tag => "+" + tag).ToList();
        var removedTags = oldTags.Except(newAccessList).Select(tag => "-" + tag).ToList();
        _access.TrySetTags(targetId, newAccessList);
@@ -155,6 +169,9 @@ public sealed class IdCardConsoleSystem : SharedIdCardConsoleSystem
    /// <summary>
    /// Returns true if there is an ID in <see cref="IdCardConsoleComponent.PrivilegedIdSlot"/> and said ID satisfies the requirements of <see cref="AccessReaderComponent"/>.
    /// </summary>
+    /// <remarks>
+    /// Other code relies on the fact this returns false if privileged Id is null. Don't break that invariant.
+    /// </remarks>
    private bool PrivilegedIdIsAuthorized(EntityUid uid, IdCardConsoleComponent? component = null)
    {
        if (!Resolve(uid, ref component))
--- a/Content.Shared/Access/Components/IdCardConsoleComponent.cs
+++ b/Content.Shared/Access/Components/IdCardConsoleComponent.cs
@@ -85,6 +85,7 @@ public sealed class IdCardConsoleComponent : Component
        public readonly string? TargetIdFullName;
        public readonly string? TargetIdJobTitle;
        public readonly string[]? TargetIdAccessList;
+        public readonly string[]? AllowedModifyAccessList;
        public readonly string TargetIdJobPrototype;

        public IdCardConsoleBoundUserInterfaceState(bool isPrivilegedIdPresent,
@@ -93,6 +94,7 @@ public sealed class IdCardConsoleComponent : Component
            string? targetIdFullName,
            string? targetIdJobTitle,
            string[]? targetIdAccessList,
+            string[]? allowedModifyAccessList,
            string targetIdJobPrototype,
            string privilegedIdName,
            string targetIdName)
@@ -103,6 +105,7 @@ public sealed class IdCardConsoleComponent : Component
            TargetIdFullName = targetIdFullName;
            TargetIdJobTitle = targetIdJobTitle;
            TargetIdAccessList = targetIdAccessList;
+            AllowedModifyAccessList = allowedModifyAccessList;
            TargetIdJobPrototype = targetIdJobPrototype;
            PrivilegedIdName = privilegedIdName;
            TargetIdName = targetIdName;
--- a/Content.Shared/Access/Systems/SharedIdCardConsoleSystem.cs
+++ b/Content.Shared/Access/Systems/SharedIdCardConsoleSystem.cs
@@ -10,12 +10,15 @@ namespace Content.Shared.Access.Systems
    public abstract class SharedIdCardConsoleSystem : EntitySystem
    {
        [Dependency] private readonly ItemSlotsSystem _itemSlotsSystem = default!;
+        [Dependency] private readonly ILogManager _log = default!;

        public const string Sawmill = "idconsole";
+        protected ISawmill _sawmill = default!;

        public override void Initialize()
        {
            base.Initialize();
+            _sawmill = _log.GetSawmill(Sawmill);

            SubscribeLocalEvent<IdCardConsoleComponent, ComponentInit>(OnComponentInit);
            SubscribeLocalEvent<IdCardConsoleComponent, ComponentRemove>(OnComponentRemove);
--- a/Resources/Prototypes/Entities/Structures/Machines/Computers/computers.yml
+++ b/Resources/Prototypes/Entities/Structures/Machines/Computers/computers.yml
@@ -409,8 +409,6 @@
  name: ID card computer
  description: Terminal for programming Nanotrasen employee ID cards to access parts of the station.
  components:
-  - type: AccessReader
-    access: [["HeadOfPersonnel"]]
  - type: IdCardConsole
    privilegedIdSlot:
      name: id-card-console-privileged-id
--- a/Resources/Prototypes/Roles/Jobs/Command/head_of_personnel.yml
+++ b/Resources/Prototypes/Roles/Jobs/Command/head_of_personnel.yml
@@ -34,6 +34,19 @@
  - Hydroponics
  - External
  # I mean they'll give themselves the rest of the access levels *anyways*.
+  # As of 15/03/23 they can't do that so here's MOST of the rest of the access levels.
+  # Head level access that isn't their own was deliberately left out, get AA from the captain instead.
+  - Chemistry
+  - Engineering
+  - Quartermaster
+  - Research
+  - Salvage
+  - Security
+  - Brig
+  - Cargo
+  - Atmospherics
+  - Cargo
+  - Medical

 - type: startingGear
  id: HoPGear