From 60b141d77951e2adf3aa28d324c759323cc9c309 Mon Sep 17 00:00:00 2001 From: Jakubk15 <77227023+Jakubk15@users.noreply.github.com> Date: Thu, 2 Jul 2026 15:11:44 +0200 Subject: [PATCH] security: require distinct permission to enchant another player's item MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Both /enchant execute overloads were gated only by the class-level @Permission("eternalcore.enchant"), so anyone allowed to enchant their own item could also modify other players' held items. Follow the FlyCommand convention: drop the class-level permission and gate each overload individually — eternalcore.enchant for the self variant and eternalcore.enchant.other for the "" variant. Note: servers that previously granted eternalcore.enchant to allow enchanting others must now also grant eternalcore.enchant.other. Co-Authored-By: Claude Opus 4.8 Claude-Session: https://claude.ai/code/session_01JrkLFxzmmn7BpB9y6vMTeg --- .../com/eternalcode/core/feature/enchant/EnchantCommand.java | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/eternalcore-core/src/main/java/com/eternalcode/core/feature/enchant/EnchantCommand.java b/eternalcore-core/src/main/java/com/eternalcode/core/feature/enchant/EnchantCommand.java index 02a72028e..6789c2c2b 100644 --- a/eternalcore-core/src/main/java/com/eternalcode/core/feature/enchant/EnchantCommand.java +++ b/eternalcore-core/src/main/java/com/eternalcode/core/feature/enchant/EnchantCommand.java @@ -15,7 +15,6 @@ import org.bukkit.inventory.PlayerInventory; @Command(name = "enchant") -@Permission("eternalcore.enchant") class EnchantCommand { private final EnchantSettings enchantSettings; @@ -28,6 +27,7 @@ class EnchantCommand { } @Execute + @Permission("eternalcore.enchant") @DescriptionDocs(description = "Enchants item in hand", arguments = " ") void execute(@Sender Player player, @Arg Enchantment enchantment, @Arg(EnchantLevelArgument.KEY) int level) { PlayerInventory playerInventory = player.getInventory(); @@ -51,7 +51,8 @@ void execute(@Sender Player player, @Arg Enchantment enchantment, @Arg(EnchantLe } @Execute - @DescriptionDocs(description = "Enchants item in hand", arguments = " ") + @Permission("eternalcore.enchant.other") + @DescriptionDocs(description = "Enchants the item held by the specified player", arguments = " ") void execute(@Sender Player sender, @Arg Enchantment enchantment, @Arg(EnchantLevelArgument.KEY) int level, @Arg Player target) { PlayerInventory targetInventory = target.getInventory(); ItemStack handItem = targetInventory.getItem(targetInventory.getHeldItemSlot());