Command#broadcastCommandMessage incorrectly uses Permission subscription status alone to collect recipients

XMLWordPrintable

    • Type: Bug
    • Resolution: Fixed
    • Priority: Minor
    • None
    • Affects Version/s: None
    • None
    • Environment:

      Latest Spigot build - although it seems this issue has been present for a long time. (since 1.7 at least)

      Command#broadcastCommandMessage is intended to replicate Vanilla broadcast style messages for Bukkit commands. ("[<sender name>: <message>]" in gray)

      In order to collect recipients, it uses PluginManager#getPermissionSubscriptions to return a list of Permissibles which have the permission set.

      https://hub.spigotmc.org/stash/projects/SPIGOT/repos/bukkit/browse/src/main/java/org/bukkit/command/Command.java#405

       

      However, the returned set includes ALL permissibles, even ones with the permission set to false, which leads to the following bug.

      https://paste.md-5.net/fegufahigo.java

      https://luck.sh/O8TTlqTNWL9PVfjjp0Gx-UptxrQ=

      For example, if you set the administrative broadcast permission to false for a player, they will still receive admin broadcast messages, because a false setting still subscribes them to the permission.

       

      This issue does not exist in Server#broadcast, as an additional permission check is performed.

      https://hub.spigotmc.org/stash/projects/SPIGOT/repos/craftbukkit/browse/src/main/java/org/bukkit/craftbukkit/CraftServer.java#1220

       

            Assignee:
            Unassigned
            Reporter:
            Luck
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: