DrVrej/VJ-Base

vj_npcspawner_sv_create can be exploited

44lr opened this issue · 1 comments

44lr commented

Any cheater can fire vj_npcspawner_sv_create and spawn whichever entity they please.

The function that handles vj_npcspawner_sv_create / the spawner entity should verify if what it's going to spawn is an NPC or not, and if it's an admin-only entity.

As of right now, anyone can use it to spawn whichever entity they desire and as many times as they please. (This can also be used to crash servers, besides the other obvious problems that come from being able to spawn any entity)

I understand the concern but they can only run said command if they are holding the toolgun and have NPC Spawner active. This means, the gamemode must be in a Sandbox environment, something that 99% servers aren't. For the remaining tiny fraction of servers, the big ones will have proper admin mods installed, restricting tools like this to admin-only (As they should). I can start adding admin checks everywhere in these tools, but then it will make the tools harder to use for people who are running small private server with friends. Just simply lock tools like this to admin-only in your Sandbox server, and you won't have any issues 👍

Note: I will add a check to disallow spawning admin-only entities, but if won't do much, I highly suggest setting up an admin mod in your server and locking certain tools, entities, etc to admins only.