Output Event-Server Command

[Zeblote]

You'd expect people to be clever enough and only enable the mod if it is actually required for whatever specific gamemode they're working on, and combine it with admin only events.

[Ad Bot]

[Badspot]

Look, I'm sorry that I had to remove the add-on you worked on but it's just not a sound design.  Anyone could build a brick that would shutdown the server or ban someone or whatever.  If you release this, kids will turn it on all the time and their experience will be made worse and they won't know what's going on.  

It's easy to blame them for turning it on but really the problem is that the design is so prone to failure that it is almost unavoidable.  Please don't fight me on this.  This would be another eval nightmare if released.

[phflack]

I think badspot is speaking from experience here (the build rules addon that was default and everybody was turning it on and then complaining?)

[Who Cares99]

Anyone could build a brick that would shutdown the server or ban someone or whatever.

Couldn't we just have it so that only the host can use the event? It would still be extremely useful, and the only person who could do these kinds of things would be the only person who could do them anyway.

Please don't fight me on this.

I don't want to argue about the mod, but I really think that it could be useful, and if you have an unchangeable restriction on it then it can't be abused either.

[Advanced Bot]

I think badspot is speaking from experience here

No, he has seen people make these kind of add-ons, which are very vulnerable to servers, making them less secure. Like as he said, it can do a lot of stuff if it gets to the wrong hands of someone. Such as the eval add-ons, you shouldn't even have one if you have no idea what it is and you are just giving eval permission out to other people.

I have seen injection vulnerabilities on servers using via eval. I don't understand why you would even trust them with eval, especially giving eval permission to smart coders, some are nice to help, and some are just wanting to destroy the server within seconds.

[Advanced Bot]

Couldn't we just have it so that only the host can use the event? It would still be extremely useful, and the only person who could do these kinds of things would be the only person who could do them anyway.

Well, I guess it could be fine for host only, but it can still be abusive from the host. Like saying if they step on a brick, it uses /messageSent and then they spam "I am the most biggest piece of stuff in the world.. asjdijaifjidjifjsidjfisjdifjs idfjsijf---"..

[phflack]

yes, eval is the other part I was talking about
if badspot took down eval in chat form, what's so different about eval in event form? or is this mod for chat commands instead of console functions?

Couldn't we just have it so that only the host can use the event?

and then somebody somehow tricks the host into doing something and they complain
can happen without this, but this might make it easier

[Who Cares99]

Well, I guess it could be fine for host only, but it can still be abusive from the host. Like saying if they step on a brick, it uses /messageSent and then they spam "I am the most biggest piece of stuff in the world.. asjdijaifjidjifjsidjfisjdifjs idfjsijf---"..

I think that would fall under intentionally worsening your server, in which case I don't think you really have room to complain. Badspot's point was that people could get access to commands that they aren't regularly allowed to access. Since I can't think of any command that's restricted to the host, I think that making the event host-only takes care of the problem.

[Advanced Bot]

Just not making the add-on will create less risk for everyone. Plus, badspot will either just remove it, or will remove it and ban you.

There is a reason why everything will get fail binned if it creates vulnerabilities to the server.

what's so different about eval in event form? or is this mod for chat commands instead of console functions?

It was using server commands, they can be easily spammed, and like Badspot said, it has a possibility of shutting down the server. These can be used with relay events, which the server will just be a disappointment.

[Who Cares99]

and then somebody somehow tricks the host into doing something and they complain
can happen without this, but this might make it easier

I don't think it would make it easier; The only difference is where the host types the command.

[Who Cares99]

Just not making the add-on will create less risk for everyone. Plus, badspot will either just remove it, or will remove it and ban you.

There is a reason why everything will get fail binned if it creates vulnerabilities to the server.

What vulnerability would it create with a host-only restriction? All I've heard is that it would let the host do things more rapidly and possibly crash the server. However, I don't think that the risk of a host deliberately spamming/crashing his own server is a reason not to have the mod.

[Advanced Bot]

What vulnerability would it create with a host-only restriction? All I've heard is that it would let the host do things more rapidly and possibly crash the server. However, I don't think that the risk of a host deliberately spamming/crashing his own server is a reason not to have the mod.

I was talking about if it wasn't for the host.

[Who Cares99]

I was talking about if it wasn't for the host.

Ah. Yeah, I don't see any vulnerabilities with having it be host-only. I think it would be safe to make, but I'd see if Badspot has anything to say about it first.

[Advanced Bot]

Ah. Yeah, I don't see any vulnerabilities with having it be host-only. I think it would be safe to make, but I'd see if Badspot has anything to say about it first.

It would be safer for the host, just hopefully the host isn't an idiot..

[Who Cares99]

It would be safer for the host, just hopefully the host isn't an idiot..

If the host doesn't know what the effects will be they probably won't know how to use the event either.