Glitch that allowes players to op themselfes?


I know this existed, but i thought it got fixed?
I just took a look in my server log this morning:

[07:44:43] [Server thread/INFO]: [sk0rp1s] hi
[07:44:43] [Server thread/INFO]: [sk0rp1s] hi
[07:44:44] [Server thread/INFO]: [sk0rp1s] hi
[07:44:56] [Server thread/INFO]: [sk0rp1s: Opped sk0rp1s]
[07:44:57] [Server thread/INFO]: [sk0rp1s: Opped sk0rp1s]
[07:44:57] [Server thread/INFO]: [sk0rp1s: Opped sk0rp1s]
[07:46:41] [Server thread/INFO]: [sk0rp1s: Set sk0rp1s's game mode to Creative Mode]
[07:46:41] [Server thread/INFO]: [sk0rp1s: Set sk0rp1s's game mode to Creative Mode]
[07:46:41] [Server thread/INFO]: [sk0rp1s: Set sk0rp1s's game mode to Creative Mode]

He ended up in my ban list and i blocked the op command entirely now, but how was he able to do that? I have to admit that the forge/sponge version i use are not the newest (still work on updating my plugins), but does somebody know if anything similar got fixed in the past weeks? :smile:
(Sponge: 1.8-1499-2.1DEV-584, Forge: 1499)


I'd have a look at the permission management first. If your default group has OP permission, then every new user can /op themselves and gain further rights.


I programmed this permission management myself, and testing it with a second account all the time ... nope! Definitely no! :smiley:


What does your permission plugin return when queried for "minecraft.command.op"? If the registered PermissionService allows that permission then people can use the /op command


For the sake of argument, could you supply the source code for your permission plugin?


Hmm. I got a thought here:
Since i started early with the development of that plugin it is currently not using Sponges Permission-system
It literally reads and cancels command events. (I know its a bad way, don't hate me ill fix it :smiley: ) Could that be an issue? That is still a version without Cause's so maybe they are able to perform a command without them beeing the CommandSouce? I need to check that...


How come you don't Sponges Permission API?
I think that might be your problem :wink:


Even if this is a bad way, it should work, shouldn't it? ^^
Well but you're right. Ill first try to somehow reproduce that glitch with a better Permission system.
So just ignore this topic for now :smile:
Thanks for suggestions.


I think I found the issue.

This line:

if (evt.getSource() instanceof Player && hasPermission((Player) evt.getSource(), "execute." + evt.getCommand())) return;

must be:

if (evt.getSource() instanceof Player && !hasPermission((Player) evt.getSource(), "execute." + evt.getCommand())) return;


No, this method returning means it ignores the Command-execution and doesn't cancel it. :smiley: So if the Method returns there, the command gets executed!


The problem is that you only cancelling the event if the command is invalid and not if the player doesn't have the permissions


To explain the method:

For Every Command that is owned by my plugin:
Just let it run, the command itself checks permission before executing.

For every other command:
Cancel if the player don't has "execute." permission.

//ignore commands from console or commandblock
if (evt.getSource() instanceof ConsoleSource) return;
if (evt.getSource() instanceof CommandBlockSource) return;

//ignore commands if the player has "execute.<cmd-name>" permission
if (evt.getSource() instanceof Player && hasPermission((Player) evt.getSource(), "execute." + evt.getCommand())) return;

//Check if the command is owned by my plugin (CNMain.getPlugin())
Set<CommandMapping> commandSet = evt.getGame().getCommandDispatcher().getOwnedBy(CNMain.getPlugin()); 
CommandMapping cm = null;
for (CommandMapping mapping : commandSet){
    if (mapping.getAllAliases().contains(evt.getCommand())){
        cm = mapping;

//if the command is not owned by my plugin cancel it. (If it is owned by my plugin, it'll handle permissions itself)
if (cm == null){
    evt.getSource().sendMessage(Texts.of(TextColors.RED, "Diesen Command gibt es nicht! Gib /help ein um eine Liste verfügbarer Commands zu bekommen!"));


Das war mein Account, aber ich kann ihn nicht mehr benutzen, weil irgendein dummes Arschloch den wohl gehackt un das Passwort geändert hat. Leider komme ich nicht mehr an die E-Mail dran, weil ich die Anmeldedaten nicht mehr habe.



Bitte besuchen und kontaktieren Sie Mojang / Microsoft. Wir können wenig tun. Ihr Passwort befindet sich wahrscheinlich in einer Datenbank, die für viele Personen freigegeben ist.

Please visit and contact Mojang / Microsoft There is little we can do. Your password is likely in a database shared between many people.


This thread was from over 2 years ago, Not sure of the resolution of if it was the plugins fault or Sponges.

There was at one point a bug with clashing aliases, that used the permission of the clashing command instead of the permission for the raw minecraft command.

If there was a fake op override, or a command registering /op in order to tell people not to use it, it may have been the cause of the person opping themselves.